IIBF Adda

Certificate Examination in
Information System Banker
( IIBF & Other Exams)
SYLLABUS

a) Technology in Banks

i) Banking Environment and Technology.

ii) Overview of Processing Infrastructure.

iii) Accounting Information System. iv)

Information Organisation and

Management.

v) Risk associated with Technology Banking.

vi) Audit Function and Technology.

b) Technology - System, Development, Process,

Implementation I) Hardware Architecture.

ii) Software platforms - System design,

development and maintenance.

iii) SDLC (Software Development

lifecycle) iv) Networking.

c) Security and Controls, Standards in Banking

i) Security - Overview of security, Architecture, Policy,

Procedure, Implementation, Monitoring.
ii) Controls - Physical Controls, IT controls, Application
controls, Resources and

Tools.
iii) Standards - ISO, CMM, CoBIT, RBI guidelines.

d) Continuity of Business
i) Difference between CoB, BCP and
DRP.
 ii) CoB Plan, policy and procedures.

iii) Risk Management and Impact

Analysis.

iv) Testing and implementation of CoB, BCP and DRP.

e) Overview of legal framework

i) ITAct, Intellectual Property Right, Copyright.

f) Security policies, procedures and controls

i) Management Control Framework.

ii) Development and review of security policies

and controls standards. iii) Compliance and incident

handling. iv) Network security.

v) Security implemented by operating system and databases, Hardware and Software.

vi) Network components.

g) S Review - Methodology and Approach

i) ISAudit as review of IS management function.

ii) Review of Human Resources Management Function, Technology Management

Function, Data Management Function, Application Management Function,

Facilities Management Function.

iii) Audit Standards. iv) Audit
Organisation and Management.

v) Audit in computerised environment.

vi) Risk based audit. vii) Substantive and compliance

review.

Use of CAAT’s - use of general audit software.

 Role of Information Technology in Indian Banking Sector
Core Banking Solution (CBS)

Core Banking Solution (CBS) is networking of bank branches, which allows

customers to manage their accounts, and use various banking facilities from any
part of the world. In simple terms, there is no need to visit your own branch to do
banking transactions. You can do it from any location, any time. You can enjoy
banking services from any branch of the bank which is on CBS network regardless
of branch you have opened your account. For the bank which implements CBS, the
customer becomes the bank’s customer instead of customer of particular branch.

Execution of Core banking system across all branches helps to speed up most of
the common transactions of bank and customer. In Core banking, the all branches
access banking applications from centralized server which is hosted in secured
Data Centre. Banking software/application performs basic operations like
maintaining transactions, balance of withdrawal & payment, interest calculations on
deposits & loans etc. This banking applications are deployed on centralized server
& can be accessed using internet from any location.

Need for Core Banking Technology

Nowadays, the use of Information Technology (IT) is must for the survival & growth
of any organization and same applicable to banking industry also. By using IT in any
industry, banks can minimize the operation cost; also banks can offer products &
services to customers at competitive rates.

CBS is required;

To meet the dynamically changing market & customer needs.

To improve & simplify banking processes so that bank staff can focus on
sales & marketing stuff.
 Convenience to customer as well as
bank. To speed up the banking
transactions.

To expand presence in rural & remote areas.

Basic elements of CBS that helps customers are:

Internet
Banking
Mobile
Banking ATM

POS & kiosk systems

Fund Transfers – NEFT, RTGS, IMPS etc.

Benefits of Core banking –

Core banking solutions are beneficial to both banks as well as customers.

A. Benefits for Customers

Quicker services at the bank counters for routine transactions like cash
deposits, withdrawal, passbooks, statement of accounts, demand drafts etc.

Anywhere banking by eliminating branch

banking. Provision of banking services 24 X 7.

Fast payment processing through Internet banking, mobile

banking. Anytime anywhere banking through ATMs.

All branches access applications from central servers/datacentre, so

deposits made in any branch reflects immediately and customer can
withdraw money from any other branch throughout the world.

CBS is very helpful to people living in rural areas. The farmers can receive e-
payments towards subsidy etc. in his account directly. Transfer of funds from
the cities to the villages and vice versa will be done easily.
 B. Benefits for Banks

Process standardization within bank & branches.

Retention of customers through better customer

service. Accuracy in transactions & minimization of
errors.

Improved management of documentation & records – having centralized

databases results in quick gathering of data & MIS reports.

Ease in submission of various reports to the Government & Regulatory

boards like RBI. Convenience in opening accounts, processing cash,

servicing loans, calculating interest, implementing change in policies like

changing interest rates etc.

To cope up with the growing needs of customers; RRBs and Co-operative banks
were needed to implement core banking solutions. To face the challenges of
dynamic market, UCBs needed to take help of IT their operations. Considering the
importance of the matter, the Reserve Bank of India (RBI) mandated a deadline for
Urban Co-operative Banks (UCBs) and advised to implement the core banking
solutions (CBS) by December 31, 2013, which has been met by all RRBs and
UCBs.

Introduction With the globalization trends world over it is difficult for any nation big
or small, developed or developing, to remain isolated from what is happening
around. For a country like India, which is one of the most promising emerging
markets, such isolation is nearly impossible. More particularly in the area of
Information technology, where India has definitely an edge over its competitors,
remaining away or uniformity of the world trends is untenable. Financial sector in
general and banking industry in particular is the largest spender and beneficiary
from information technology. This endeavours to relate the international trends in it
with the Indian banking industry. The last lot includes possibly all foreign banks and
newly established Private sector banks, which have fully computerized all the
operations. With these variations in the level of information technology in Indian
banks, it is useful to take account of the trends in Information technology
internationally as also to see the comparative position with Indian banks. The
present article starts with the banks perception when they get into IT up gradation.
All the trends in IT sector are then discussed to see their relevance to the status of
Indian banks. IT Considerations Since the early nineties, each Indian bank has
done some IT improvement effort. The first and foremost compulsion is the fierce
competition. While deciding on the required architecture for the IT consideration is
given to following realities. (1.) Meeting Internal Requirement: The requirements of
the banks are different individually depending upon their nature and volume of
business; focus on a particular segment, spread of branches and a like. Many a
time’s banks do have the required information but it is scattered. The operating units
seldom know the purpose of gathering the information by their higher authorities.
(2.) Effective in Data Handling: As stated earlier the banks have most of the needed
data but are distributed. Further the cost of collection of data and putting the same
to use is prohibitively high. The accuracy and timeliness of data generation
becomes the causalities in the process. Best of the intentions on computerization
are wished away because there is non-visible reduction in cost /efforts/time required
for the required data gathering.
(3.) Extending Customer Services: Addressing to rising customers expectations is
significant particularly in the background of increased competition. In case bank A is
unable to provide the required service at a competitive price and in an accurate
manner with speed.

There is always a bank IT at its next-door waiting to hire the customer. Awareness
of customers about the availability of services and their pricing as also available
options have brought into sharp focus the issue of customer satisfaction. (4.)
Creative Support for New Product Development: It has become necessary for the
banks to vitalize the process of product development. Marketing functionaries
needs a lot of information not only from the outside sources but also from within the
banks. Banks are looking to retail segment as the future market places for sales
efforts. Having full-fledged information of existing customer is the key for this
purpose. The emergences of data requirement and an appropriate architecture to
support the same are significant issues to be handled in this regard. (5.) End-user
Development of the Non-technical Staff: Banking being a service industry, it is the
staffs at counters that deliver the products. In Indian scenario, virtual banking is
likely to have a few more years to establish. The dependence on counter staff is
unavoidable. The staffs are large in number and the majority is non-technical. The
customer satisfaction levels at the counter determine the ultimate benefit of IT
offensive. Giving due consideration to this aspect in choosing architecture in
necessary. Trends in Information Technology Certain trends have been visualized of
information technology in banking sector all over the world. (1.) Outsourcing:
Outsourcing is one of the most talked about as also a controversial issue. The
drivers for getting in to outsourcing are many to include gaps in IT expectations and
the reality, demystification of computerization in general and IT in particulars, trend
towards focusing on core competencies, increased legitimacy of outsourcing and
intention of getting out of worries and sort of up gradation of hardware and software
versions. Not that the practice is new as earlier it was refused to as ‘buying time’ or
‘service bureau’. What is needed is the clear of outsourcing, beside a definite plan
to be more competitive after outsourcing. It is necessary to have checks and
balances to monitor vendor performance. Cost aspects merit consideration, as also
a decision on the part of the process to be outsourced shall be significance. Exit
route and resource on the amount of failure after outsourcing are the other issue to
be looked onto. Not withstanding these risks, outsourcing has come to say. (2.)
Integration: One of the IT trend is moving from hierarchy to team approach. The
purpose is to see an alternative to retooling, to react speedily and to develop
capabilities rather than exploiting them. Such integration is necessary so as to
address to prevalent situations:
(a) Functions needing data and not getting from others

(b) Sending data to those who do not want to require them. (c) Global data exist but
do not travel to required business functions. Indian banks seem to follow this trend
through the sincere redesign as described earlier. Instead of vertically divided
pyramid type organizational set-ups, banks are now being to have separate group
like finance, international consumer banking, industrial/commercial credit etc. (3.)
From Solo to Partnership: With the development of IT, two things are taking place
simultaneously. The work force as a percentage of total staff is going down and
spending on IT as percentage of total spending is going up. The forms of
partnership can include binding by superior service, accommodation in service
sharing network, equal partnership and situations, where survival is threatened. At
times, the partnership becomes necessary to get out of areas where there is no
competitive advantage. Low development cost or wider geographical coverage is
the aspects that create such partnership. Instances are not frequent, where joint
ventures have been found with the IT vendors. (4.) Distinctive Edge: It is always
said that many use but a few make use of IT. Historically, the emphasis is on using
IT for large volumes like payrolls, balancing the books, the consolidation etc. That
realization on having IT as matter of competitive edge has come about very lately. It
is recognized that customer service is not an easy thing to provide, but IT is used as
a mean. It does give value additions and erases barriers for competitors to enter.
Banks understand that the cost of cultivating the new customer is 5 to 6 times of
retaining the old one. Customer normally switches banks due to poor service. The
appreciation of these facts has compelled the banks world over to look upon IT as
an instrument to create distinctive edge over competitors. The private sector banks
that were established in 1990’s as a part of finance sector reforms did make good of
IT to have an edge over the others. The foreign banks operating in India have also
been able to market IT superiority as a distinctive edge. The public sector banks are
still to make use of IT in this regard, although they are blessed with huge
information base all across the country. While steps are mooted in this direction by
leading public sector banks, more offensive postures are necessary.
(5.) IT as Profit Centre: In the embryonic phases, IT was looked upon a means to
get rid of high processing cost and time and to convert the manual operation with
high volume/low complexity in two mechanical ones. With the evolutionary the
process, it was seen as the best means of generating, MIS. The same approach
gave the status of DSS to IT. All along, IT has been recognized as the service
function in Indian Banks. However, the new trend that is emerging is considering IT
as a profit centre. The cost benefit analysis of having IT or otherwise in one part.
But having IT set up to generate income for the organization is the new beginning.
Getting jobs from outside the bank for processing data and the like are the current
trends. The outsourcing done by others is the business, cater to by these
organizations the trend of this kind is not deserved in Indian situation particularly
banks. The Banks have been

able to just manage what is to consider as their responsibility as IT, within the
individual banks. (6.) Prospering in Down Market: The trend suggests that when
there is a down turn in the market place, Pro-active corporations take the benefit
of available unutilized resources to upgrade and revisit technology issues. This is
seen as the right time to establish the R & D centre for IT. There are false notions
about technology and its capability. Some misconceptions include: Best-fit
possible technology is implemented.

System solution is good enough and there is need to look into user expectations.

Innovations are generally successful.

Success is related only to novel ideas.

Technology is the sole determinant of business success, and

Measures and standards i.e. audit and inspection issues stand in the way of
innovation.

The time available to debate on similar issues is ample and these false notions get
clarified during the down market. Eventually, the decision makers reach a
consensus that IT is not a panacea but it is an enabler that too when well supported
by BRP (Business Process Re-engineering), human resources initiatives, physical
infrastructure and responsive organization set up. (7.) Leading to Downsizing: The
IT initiative is making the organization lean and flat. For IT functionaries downsizing
means transferring computing power from mainframe to the personal computer and
workstations. Downsizing is a typical issue faced with associated problems.
Absence of top management commitment, lack of understanding of the prevalent IT
infrastructure, doing too much and too fast and undertaking the exercise without a
framework for controlling the downsizing operations are primarily the situations that
create adversities in downsizing. In any case the trend of downsizing is very much
existent in the IT environment. (8.) Getting Competitive Intelligence: IT is now seen
as a resource for gathering and dissemination of executive information system
(EIS). The purpose is to minimize that the bombarding and focusing on the
relevance, accuracy and timeliness of the information particularly about the
competitors such information enhances follow up and tracks early warning on
competitor move and also customer expectations.
As far as Indian banks are concerned individually, they have to compete with other
banking industry participants as also with other players in the financial sector. The
competition from for insurance and government notes and saving, mutual funds and
the like is always

forthcoming particularly because of attendant tax benefits. Collection of required

information and using the same for business purpose is constrained by the
availability of the information, its volume and diversity. As such it may take some
time for this trend to be visible in Indian banking scenario. Recent Developments in
Banking Sector (1.) Internet: Internet is a networking of computers. In this marketing
message can be transferred and received worldwide. The data can be sent and
received in any part of the world. In no time, internet facility can do many a job for
us. It includes the following: This net can work as electronic mailing system.

It can have access to the distant database, which may be a newspaper of foreign
country.

We can exchange our ideas through Internet. We can make contact with anyone
who is a linked with internet.

On internet, we can exchange letters, figures/diagrams and music recording.

Internet is a fast developing net and is of utmost important for public sector
undertaking, Education
Institutions, Research Organization etc. (2.) Society for Worldwide Inter-bank
Financial
Telecommunications (SWIFT): SWIFT, as a co-operative society was formed in May
1973 with 239 participating banks from 15 countries with its headquarters at
Brussels. It started functioning in May 1977. RBI and 27 other public sector banks
as well as 8 foreign banks in India have obtained the membership of the SWIFT.
SWIFT provides have rapid, secure, reliable and cost effective mode of transmitting
the financial messages worldwide. At present more than 3000 banks are the
members of the network. To cater to the growth in messages, SWIFT was upgrade
in the 80s and this version is called SWIFT-II. Banks in India are hooked to SWIFT-
II system. SWIFT is a method of the sophisticated message transmission of
international repute. This is highly cost effective, reliable and safe means of fund
transfer.
 This network also facilitates the transfer of messages relating to fixed deposit,
interest payment, debit-credit statements, foreign exchange etc.

This service is available throughout the year, 24 hours a day.

This system ensure against any loss of mutilation against transmission.

It serves almost all financial institution and selected range of other users.
It is clear from the above benefit of SWIFT that it is very beneficial in effective
customer service.
SWIFT has extended its range to users like brokers, trust and other agents. (3.)
Automated Teller Machine (ATM): ATM is an electronic machine, which is operated
by the customer himself to make deposits, withdrawals and other financial
transactions. ATM is a step in improvement in customer service. ATM facility is
available to the customer 24 hours a day. The customer is issued an ATM card. This
is a plastic card, which bears the customer’s name. This card is magnetically coded
and can be read by this machine. Each cardholder is provided with a secret personal
identification number (PIN).
When the customer wants to use the card, he has to insert his plastic card in the
slot of the machine.
After the card is a recognized by the machine, the customer enters his personal
identification number. After establishing the authentication of the customers, the
ATM follows the customer to enter the amount to be withdrawn by him. After
processing that transaction and finding sufficient balances in his account, the output
slot of ATM give the required cash to him. When the transaction is completed, the
ATM ejects the customer’s card. (4.) Cash Dispensers: Cash withdrawal is the basic
service rendered by the bank branches. The cash payment is made by the cashier
or teller of the cash dispenses is an alternate to time saving. The operations by this
machine are cheaper than manual operations and this machine is cheaper and fast
than that of ATM. The customer is provided with a plastic card, which is
magnetically coated. After completing the formalities, the machine allows the
machine the transactions for required amount. (5.) Electronic Clearing Service: In
1994, RBI appointed a committee to review the mechanization in the banks and
also to review the electronic clearing service. The committee recommended in its
report that electronic clearing service-credit clearing facility should be made
available to all corporate bodies/Government institutions for making repetitive low
value payment like dividend, interest, refund, salary, pension or commission, it was
also recommended by the committee Electronic Clearing Service-Debit clearing
may be introduced for pre-authorized debits for payments of utility bills, insurance
premium and instalments to leasing and financing companies. RBI has been
necessary step to introduce these schemes, initially in Chennai, Mumbai, Calcutta
and New Delhi. (6.) Bank net: Bank net is a first national level network in India,
which was commissioned in February 1991. It is communication network
established by RBI on the basis of recommendation of the committee appointed by
it under the chairmanship of the executive director T.N.A. Lyre. Bank net has two
phases: Bank net-I and Bank net- II.

Areas of Operation and Application of Bank net:

The message of banking transaction can be transferred in the form of codes from
the city to the other.

Quick settlement of transactions and advices.

Improvement in customer service-withdrawal of funds is possible from any

member branch.

Easy transfer of data and other statements to RBI.

Useful in foreign exchange dealings.

Access to SWIFT through Bank net is easily possible.

(7.) Chip Card: The customer of the bank is provided with a special type of credit
card which bears customer’s name, code etc. The credit amount of the customer
account is written on the card with magnetic methods. The computer can read these
magnetic spots. When the customer uses this card, the credit amount written on the
card starts decreasing. After use of number of times, at one stage, the balance
becomes nil on the card. At that juncture, the card is of no use. The customer has to
deposit cash in his account for re-use of the card. Again the credit amount is written
on the card by magnetic means. (8.) Phone Banking: Customers can now dial up
the bank’s designed telephone number and he by dialling his ID number will be able
to get connectivity to bank’s designated computer. The software provided in the
machine interactive with the computer asking him to dial the code number of service
required by him and suitably answers him. By using Automatic voice recorder (AVR)
for simple queries and transactions and manned phone terminals for complicated
queries and transactions, the customer can actually do entire non-cash relating
banking on telephone: Anywhere, Anytime. (9.) Tele-banking: Tele banking is
another innovation, which provided the facility of 24 hour banking to the customer.
Tele-banking is based on the voice processing facility available on bank computers.
The caller usually a customer calls the bank anytime and can enquire balance in his
account or other transaction history. In this system, the computers at bank are
connected to a telephone link with the help of a modem. Voice processing facility
provided in the software. This software identifies the voice of caller and provides
him suitable reply. Some banks also use telephonic answering machine but this is
limited to some brief functions. This is only telephone answering system and now
Tele-banking. Tele banking is becoming popular since queries at ATM’s are now
becoming too long
(10.) Internet Banking: Internet banking enables a customer to do banking
transactions through the bank’s website on the Internet. It is a system of accessing
accounts and general information on bank products and services through a
computer while sitting in its office or home. This is also called virtual banking. It is
more or less bringing the bank to your computer. In traditional banking one has to
approach the branch in person, to withdraw cash or deposit a cheque or request a
statement of accounts etc. but internet banking has changed the way of banking.
Now one can operate all these type of transactions on his computer through
website of bank. All such transactions are encrypted; using sophisticated multi-
layered security architecture, including firewalls and filters. One can be rest assured
that one’s transactions are secure and confidential. (11.) Mobile Banking: Mobile
banking facility is an extension of internet banking. The bank is in association with
the cellular service providers offers this service. For this service, mobile phone
should either be SMS or WAP enabled. These facilities are available even to those
customers with only credit card accounts with the bank. (12.) Any where Banking:
With expansion of technology, it is now possible to obtain financial details from the
bank from remote locations. Basic transaction can be effected from faraway places.
Automated Teller Machines are playing an important role in providing remote
services to the customers. Withdrawals from other stations have been possible due
to inter-station connectivity of ATM’s. The Rangarajan committee had also
suggested the installation of ATM at non-branch locations, airports, hotels, Railway
stations, Office Computers, Remote Banking is being further extended to the
customer’s office and home. (13.) Voice Mail: Talking of answering systems, there
are several banks mainly foreign banks now offering very advanced touch tone
telephone answering service which route the customer call directly to the
department concerned and allow the customer to leave a message for the
concerned desk or department, if the person is not available. Challenges Ahead
Important Business Challenges:
Meet customer expectations on service and facility offered by the bank.

Customer retention.

Managing the spread and sustain the operating profit.

Retaining the current market share in the industry and the improving the same.

Completion from other players in the banking industry.

Other Important Operational Challenges:
Frequent challenges in technologies used focusing up grades in hardware and
software, attending to that implementation issues and timely roll out.

Managing technology, security and business risks.

System re-engineering to enable. Defined and implemented efficient processes to

be able to reap benefits off technology to its fullest potential.
 Upgrading the skill of work force spread across the country.

With the opening of economy, deregulation, mergers and acquisition of banks,

implementation of BASLE II norms, disinvestment of government holding in banks,
the competition is going to be increased from new banks and merged entities. This
will also open up new opportunities for introduction of a new products and services.
A definite trend is emerging as to consolidation of the banking system, sharing of
ATM networks and services, tie ups with insurance companies, other billing
organizations like mobile operators, electricity and telephone bills and bank for cross
selling of various products and services. How to meet the challenges? At corporate
level to meet the challenges, various initiated have been taken and implementation
is in process beside up gradation of data centre facilities: (1.) Centralization of
functions
Inward clearing data uploading and processing

Check book issues

MIS-On-Line Monitoring/Generation of statement by controlling offices

Audit from the remote location

Sending mails and statement of accounts to customers & completion of non-

mandatory field in newly opened accounts.

(2.) Single Window System (3.) Revised Account opening from for capturing
complete customer/Account data as per CBS requirement. (4.) Call centre for
customers

(5.) Customer Relationship Management (CRM) Application. (6.) Data

Warehousing. Immediate Focus To facilitate successful implementation of the above
initiative, intensive efforts are to be undertaken by all of us on following issues:
Completion of correct MIS details in all accounts and SRM’s.

Customer/ Account data completion/correction.

Customer-ID crystallization.

Aggressive marketing of Internet Banking & Debit Card products to increase

share of delivery channels transaction.

Skill up gradation & increase in awareness of all staff member.

Strict compliance of Circular & Guidance available online (CBSINFO)/ Messages

issued through scrolling ticker on login page.
Present slowdown in rollover must be put to full use to have concrete action on
these fronts. Conclusion Indian public sector banks that hold around 75 % of market
share do have taken initiative in the field of IT. They are moving towards the
centralized database and decentralize decisions making process. They posses
enviable quality manpower. Awareness and appreciation of IT are very much there.
What is needed is a ‘big push’ the way it was given in the post nationalization period
for expansionary activities. IT and India have become synonymous. Whether India
becomes a destination for outsourcing or it becomes a development centre is
matter of debate. As far as banking industry in India is concerned it can be said that
although the Indian banks may not be as technologically advanced as their
counterparts in the developed world, they are following the majority of international
trends on the IT front. The strength of Indian banking lie in withering storms and
rising up to the expectations from all the quarters-catching up with all the global
trends is a matter of time.

Overview of IT operations

Introduction:

For banks in which information technology (IT) systems are used to manage
information, IT Operations should support processing and storage of information,
such that the required information is available in a timely, reliable, secure and
resilient manner.

IT Operations are a set of specialized organizational capabilities that provide value

to customers (internal or external) in form of IT services. Capabilities take the form
of functions and processes for managing services over technology lifecycle. IT
Operations should ensure effectiveness and efficiency in delivery and support of
these services to ensure value for customers.
Scope:

Functions covered as a part of IT Operations are:

IT Service Management

Infrastructure Management

Application Lifecycle Management

IT Operations Risk Framework

The Board, Senior Management:

Roles and Responsibilities:

Bank’s Board of Directors has ultimate responsibility for oversight over effective
functioning of IT operational functions. Senior management should ensure the
implementation of a safe IT Operation environment. Policies and procedures
defined as a part of IT Operations should support bank’s goals and objectives, as
well as statutory requirements.

Functional areas, within the preview of these roles, are:

Core IT Operations

Business Line-specific IT Operations

Any Affiliates-related IT Operations

Business Partners’ Operations (including that of IT support vendors if any)

The Board or Senior Management should take into consideration the risk
associated with existing and planned IT operations and the risk tolerance and then
establish and monitor policies for risk management.

Organisational Structure:
IT Operations include business services that are available to internal or external
customers using IT as a service delivery component–such as mobile or internet
banking. IT Operations include components that are used to support IT Operations:
service desk application, ticketing and event management tools, etc. Banks may
consider including Test and Quality Assurance Environment (besides, Production
Environment) within the scope of IT Operations.

Service Desk: The service desk is the primary point of contact (Single Point
of Contact or
SPOC) for internal and external customers. Besides handling incidents
and problems, it also provides interface to other IT operation processes, such
as Request For Change (RFC), Request Fulfillment, Configuration
Management, Service Level Management and Availability Management, etc.
It can have the following functions:

Interacting with customers (e-mail, voice or chat): first-line customer liaison

Recording and tracking incidents and problems or requests for change

Keeping customers informed on request status and progress

Making an initial assessment of requests, attempting to resolve them via

knowledge management or escalating, based on agreed service levels

Monitoring and escalation procedures relative to the appropriate SLA

Managing the request life-cycle, including closure and verification

Coordinating second-line and third-party support groups

Providing management information for service improvement

Identifying problems

Closing incidents and confirmation with the customer

Contributing to problem identification

Performing user satisfaction surveys

A structure for the Service Desk that allows optimum resource utilization would
include:

Local Service Desk

Central Service Desk

Virtual Service Desk

Follow the Sun i.e. in time zones such that service desk is available for
assistance and recording of incidents round the clock

Specialized Service Desk Groups

IT Operations Management

IT Operations management is a function which is primarily responsible for the

day-to-day management and maintenance of an organisation’s IT
infrastructure, ensuring service delivery to the agreed level as defined by
Service Level Agreement (SLA).

IT Operations management can have following functions:

Operational Control: Oversee the execution and monitoring of operational
activities and events in IT infrastructure which is within the preview of IT
operations. Operational control activities are normally carried out by
Network Operations Centre (NOC) or Operations Bridge. Beside
execution and monitoring of routine tasks operation control also involve
the following activities :

Console Management

Job Scheduling

Backup and Restoration

Print and Output Management

General Maintenance Activities

 Facility Management: It refers to management of physical IT environment
of data centre, computers rooms and recovery sites

Operations Management Structure: For all practical reasons, application

management and infrastructure management teams should be part of IT
operations. As, these functions manage and execute operational activities,
whereas others delegate these to dedicate IT operations function.

Application Management:

It involves handling and management of application as it goes through the entire

life-cycle. The lifecycle encompasses both application development and application
management activities. Subactivities that can be defined for application
management functions are:

Application Development: It is concerned with activities needed to plan,

design and build an application that ultimately is used by a part of the
organisation to address a business requirement. This also includes
application acquisition, purchase, hosting and provisioning

Application Maintenance/Management: It focuses on activities that are

involved with the deployment, operation, support and optimisation of the
application

Application Management related functions may include the following:

Managing operational applications, whether vendor developed, or off-the-

shelf or in-house

It acts as a custodian of technical knowledge and expertise related to

managing and supporting applications. It ensures that the technical
knowledge and expertise required to design, develop, test, manage and
improve IT services are identified, developed and refined. Therefore, it
participates in IT operation management

It ensures that appropriate resources are effectively trained and deployed to

deliver, build, transit, operate and improve the technology required to
manage and support IT services

It defines and executes training programmes

It documents skill sets available within an organisation and skills that need to
be developed to manage application management as function
 It defines standards to be adapted when defining new application
architecture and involvement in design and build of new services

It assesses the risk involved in an application architecture

It records feedbacks on availability and capacity management activities

It designs and performs tests for functionality, performance and

manageability of IT services

It defines and manages event management tools

It participates in incident, problem, performance, change and release

management, and in resource fulfillment

It provides information on the Configuration Management System

Application Management Structure: Though activities to manage applications are

generic and consistent across applications; application management function,
for all practical reasons, is not performed by a single department or group. It
consists of technical areas as per technical skill sets and expertise. Some of
these can be:

Financial application

Infrastructure applications

Messaging and collaborative applications

Web portal or web applications

Contact centre applications

Function-specific applications

Infrastructure Management

It is the function primarily responsible for providing technical expertise and overall
management of the IT infrastructure. Its primary objective is to assist in plan,
implement and maintenance of a stable technical infrastructure in order to support
an organisation’s business processes.
Infrastructure Management can have following functions:

Manage IT infrastructure components for an environment, which falls within the

preview of IT operations

It acts as a custodian of technical knowledge and expertise, related to the

management of IT infrastructure. It ensures that technical knowledge and
expertise required to design, develop, test, manage and improve IT services are
identified, developed and refined

It ensures appropriate resources are effectively trained and deployed to deliver,

build, transit, operate and improve the technology required to deliver and support
IT infrastructure

It helps define and execute training programmes

It helps document skill sets available within an organisation and skills needed to
be developed to manage infrastructure management as function

Definition of standards to be adapted when defining new IT architecture and

involvement in the design and build of new services

Risk assessment for IT infrastructure architecture

Feedbacks to availability and capacity management activities

Designing and performing tests for functionality, performance and manageability

of IT services

Definition and management of event management tools

Participation in incident, problem, performance, change and release

management and resource
fulfillment

Infrastructure management function should provide information or manage for

configuration Management System

Infrastructure Management Structure: For all practical reasons, infrastructure

management function is not performed by a single department or group, it consist of
technical areas as per the technical skill sets and expertise, some of these are:

Mainframe management team

 Server management team

Storage management team

Network support team

Desktop support team

Database management team

Middleware management team

Directory services team

Internet team

Messaging team

IP-based telephony team

Components of IT operations framework: a)

Risk Management

Banks should analyse their IT Operation environment, including technology, human

resources and implemented processes, to identify threats and vulnerabilities. They
should conduct a periodic risk assessment which should identify:

Internal and external risks

Risks associated with individual platforms, systems, or

processes, as well as automated processing units

While identifying the risks, a risk assessment process should quantify the probability
of a threat and vulnerability, and the financial consequences of such an event.
Banks should also consider the interdependencies between risk elements, as
threats and vulnerabilities have the potential to quickly compromise inter-connected
and inter-dependent systems and processes.
Banks should implement a cost-effective and risk-focused environment. The risk
control environment should provide guidance, accountability and enforceability,
while mitigating risks.

Risk Categorisation: As a part of risk identification and assessment, banks

should identify events or activities that could disrupt operations, or negatively
affect the reputation or earnings, and assess compliance to regulatory
requirements. Risks identified can be broadly categorised into following
categories:

Strategic Failures: That might include improper implementation,

failure of supplier,inappropriate definition of requirements, incompatibility
with existing application infrastructure etc. It will also include regulatory
compliance

Design Failures: It might include inadequate project management,

cost and timeoverruns, programming errors and data migration failures
among others

Transition Failures: It might include inadequate capacity planning,

inappropriatelydefined availability requirements, SLA / OLA / Underpinning
contracts not appropriately defined and information security breaches,
among others

Risk Mitigation: Once the organisation has identified, analyzed and categorized
the risks, organisation should define following attributes for each risk
component:

Probability of Occurrence;

Financial Impact;

Reputational Impact;

Regulatory Compliance

Impact;

Legal Impact.
 Beside above specified attributes, an organisation should also consider these:

Lost revenues
Loss of market share

Non-compliance of regulatory requirements

Litigation probability

Data recovery expenses

Reconstruction expenses

These, along with the business process involved, should be used to prioritise risk
mitigation actions and control framework.

IT Operations Processes

IT Strategy

Processes within IT Strategy provide guidance to identify, select and prioritise

services that are aligned to business requirements. IT strategy, as a framework,
provides feedback to IT Operations on the services to be supported and their
underlying business processes and prioritisation of these services, etc.

A well-defined IT Strategy framework will assist IT Operations in supporting IT

services as required by the business and defined in OLA / SLAs.

IT Strategy processes provide guidelines that can be used by the banks to design,
develop, and implement IT Operation not only as an organisational capability but as
a strategic asset.

Financial Management: It provides mechanism and techniques to IT

operations toquantify in financial terms, value of IT services it supports, value
of assets underlying the provisioning of these services, and qualification of
operational forecasting.
 Advantages of implementing Financial Management process
are:

Assists in decision-making

Speed of changes

Service Portfolio Management

Financial compliance and control

Operational control

Value capture and creation

Service Valuation

It is the mechanism that can be considered by banks to quantify services, which are
available to customers (internal or external) and supported by IT operations in
financial terms. It assists IT Operation functions to showcase the involvement of
function in supporting the bank's core business.

Financial Management uses Service Valuation to quantify financial terms, value of

IT services supported by IT Operations. It provides a blueprint from which
businesses can comprehend what is actually delivered to them from IT. Combined
with Service Level Management, Service Valuation is the means to a mutual
agreement with businesses, regarding what a service is, what its components are,
and its cost and worth.

Service Valuation quantifies, in financial terms, funding sought by a business and IT

for services delivered, based on the agreed value of those services. The activity
involves identifying cost baseline for services and then quantifying the perceived
valued, added by the provider’s service assets in order to conclude a final service
value.

Service Valuation will have two components, these being:

 Provisioning Value: The actual underlying cost of IT, related to provisioning a
service, including all fulfillment elements–tangible and intangible. Input
comes from financial systems and consists of payment of actual resources
consumed by the IT in the provisioning of services. This cost element
includes items such as:

Hardware and software license cost

Annual maintenance fees for hardware and software

Personnel resources used in the support or maintenance

of the services

Utilities, data centre or other facilities charge

Taxes, capital or interest charges

Compliance costs

Service Value Potential: Is the value-added component based on a customer’s

perception of value from the service or expected marginal utility and
warranty from using the services in comparison with what is possible
using the customer’s own assets.

Portfolio Management

It provides guidelines that can be considered by banks for governing investments in

service management across an enterprise and managing them for value. Portfolio
management contains information for all existing services, as well as every
proposed service–those that are in conceptual phase.

Every service, which is a part of service portfolio, should include a business case,
which is a model of what a service is expected to achieve. It is the justification for
pursuing a course of action to meet stated organisational goals. Business case links
back to service strategy and funding. It is the assessment of a service management
in terms of potential benefits and the resources and capabilities required to
provision and maintain the service. Portfolio Management framework defined by the
banks should highlight controls, which are defined to develop an IT Service from
conceptual phase to go- live phase and then to transition to production environment.
During the development of IT services financial impact of the new service on IT
Operation should also be ascertained which will assist IT Operations in Service
Validation.

Demand Management

Demand Management process provides guidelines which can be used by banks to

understand the business processes IT operations supports to identify, analyse, and
codify Patterns of business activities (PBA) to provide sufficient basic for capacity
requirement. Analysing and tracking the activity patterns of the business process
makes it possible to predict demand for services. It is also possible to predict
demand for underlying service assets that support these services.

Demand Management guidelines should also take into consideration IT Operations

involvement in development of service from conceptual phase to go to the live
phase, so that there is a transparency of demand of new service in IT Operations.

Ii) Design

The design phase of the IT operations provides the guidelines and processes,
which can be used by the banks to manage the change in the business landscape.
Components which should be considered when designing a new IT service or
making a change to the existing IT service are:

Business Processes

IT Services

Service-level
Agreements IT
Infrastructure

IT Environment

Information Data

Applications

Support Services

Support Teams
 Suppliers

Service design: This should not consider components in isolation, but must also
consider the relationship between each of the components and their
dependencies on any other component or service.

Design phase: Provides a set of processes and guidelines that can be used by
banks to design IT services, supported by IT operations, that satisfies
business objectives, compliance requirements and risk and security
requirements. The processes also provide guidelines to identify and
manage risks and to design secure and resilient IT services.

Service Catalogue Management

Over the years, banks' IT infrastructure has grown and developed. In order to
establish an accurate IT landscape, it is recommended that an IT Service
Catalogue is defined, produced and maintained. It can be considered as a
repository that provides information on all IT services supported by IT Operations
framework.

The Service Catalogue Management process provides guidelines, used by banks to

define and manage service catalogue, which provides a consistent and accurate
information on all IT services available to customers (internal or external). It also
ensures that the service catalogue is available to users, who are approved to
access it. It should contain details of all services that are in production, as well as
the services that are being prepared for transition. Banks may consider following
attributes to be included into the service catalogue:

Definition of Service

Categorization of Service (business application and IT support)

Service Criticality

Disaster Recovery Class

Service-level Agreement Parameters

Service Environment (Production, Testing, Quality Assurance, Staging, etc.)

IT Support Status (Operational and Transaction, etc.)

 Configuration Management Group

Incident Management Group

Problem Management Group

Change and Release Management Group

Service Owner

Service-level Manager

Principal Business Activities Details

Interdependency on Configuration Items

Interdependency on Service Portfolio

Service catalogue provides details of services available to customers such as

intended use,

business processes they enable and the level and quality of service the customer
can expect from each service. Banks can also consider incorporating “charge back
mechanism”, as defined in financial management into the service catalogue.

A Service catalogue has two aspects:

Business Service Catalogue: It contains details of all IT services delivered to a

customer, together with relationships with business units and business
processes that rely on IT services. This is the customer view of the catalogue.
Business Service Catalogue facilitates development of robust Service Level
Management process.

Technical Service Catalogue: It contains details of all IT services delivered to a

customer, together with his or her relationship with supporting and shared
services, relationship to configuration items (CIs). CIs can be a service asset or
component, or any other item that is under control of configuration management.
Depending on established strategy configuration, an item may vary widely in
complexity, size and type. It can range from entire services or systems to a
single software module or a minor software component. (Configuration Items are
explained in details in “Service Assets and Configuration Management” section
 of the guidelines.) It facilitates the development of the relationship between
services, underlying CIs, SLAs and OLAs, and the support groups, which
support services throughout its life-cycle.

Service Level Management

This process defines the framework that can be used by banks to plan, co-ordinate
and draft, agree, monitor and report service attributes used to measure the service
quality. Its framework also includes guidelines for ongoing review of service
achievements to ensure that the required and cost-justifiable service quality is
maintained and improved. Beside current services and SLAs, this management
provides guidelines to ensure that new requirements are captured. That new or
changed services and SLAs are developed to match the business needs and
expectations.

Service Level Management process should be able to meet the

following objectives:

Define, document, agree, monitor, measure, report and review the level of IT
services

Ensure specific and quantifiable targets are defined for IT services

Ensure that IT Operations and consumers have clear, unambiguous

expectations of the level of services to be delivered

Ensure that pro-active measures, to improve the level of service delivered,

are implemented if
cost-justified

While defining SLM framework for banks, the following aspects

should also be considered

Operational-level agreement to ensure that Operational Level Agreements

(OLAs) with other support groups are defined and developed; these OLAs
should be in line with SLAs which it supports

Underpinning supplier contract to ensure all underpinning supplier contracts

with the vendors or suppliers are defined and developed: these contracts
should be in line with SLAs, which it supports
 While defining Service Level Agreement as a part of Service
Level Management framework, the following options can be
considered:

Service based SLA: Its structure covers attributes for single service across
an organisation. For instance, SLA for internet banking service

Customer based SLA: The structure covers attributes for all services for a
defined set of customers. For instance, SLA for SMEs customers
Multi-Level SLA: Multi-level SLA
structure can be defined as per the organizational hierarchy. For instance, SLA for

corporate offices, branches and head offices

Attributes that are included in SLAs should be ones which can effectively be
monitored and measured. Attributes which are included in the SLAs can be
categorised into operational, response, availability and security attributes. Service
Level Management framework should also define guidelines for reviews of Service
Level Agreements, Operational Level Agreements, and underpinning contracts to
ensure that they are aligned to business needs and strategy. These should ensure
that services covered, and targets for each, are relevant. And that nothing
significant is changed that invalidates the agreement in any way. Service Level
Management framework defined should also have guidelines defined for logging
and management, including escalation of complaints and compliments.

Capacity Management

The process provides the framework and guidelines that can be adapted by banks
to ensure that cost-justifiable IT capacity exists and matches to current- and future-
agreed business requirements as identified in Service Level Agreement.

The Capacity Management process provides guidelines to:

Produce and maintain capacity plan that reflects the current and future business
requirements

Manage service performance so that it meets or exceeds the agreed

performance targets
 Diagnosis and resolution of performance and capacity-related incidents and
problems

Assess impact of all changes on capacity plan and performance of IT services

supported by IT Operations

Ensure that pro-active measures are undertaken to improve the performance of

services, whenever it is cost-justifiable.

One of the key activities defined as a part of capacity management process is to

produce and maintain, at an ongoing basis, the capacity plan, which depicts current
level of resource utilization and service performance. Capacity plans can also
include forecasting future requirements to support business activities. The
process can be subdivided into three:

Business Capacity Management: Defines guidelines for translating business-

need plans into requirements for IT services and supporting infrastructure,
ensuring that the future business requirements for IT services are quantified,
designed, planned and implemented. Inputs for future IT requirements come
from the Service Portfolio and Demand Management.

Service Capacity Management: This defines guidelines for management, control

and prediction of end-to-end performance and capacity of live and
operational IT service usage and workloads. It provides guidelines to ensure
that the performance of IT services is monitored and measured.

Component Capacity Management: It defines guidelines to identify and

understand the performance, capacity and utilization of each individual
component within a technology used to support IT services, including
infrastructure, environment, data and applications.
A major difference between sub-processes is in the data that is being monitored
and collected. For example, the level of utilization of individual components in the
infrastructure: processors, disks and network links will be under Component
Capacity Management. While transaction throughput rates and response times will
be under Service Capacity Management. Business Capacity Management will be
concerned with data, specific to
business volumes. Banks adapting capacity management process should ensure
that its framework encompass all areas of technology (hardware, software, human
resource, facilities, etc.)

Availability Management

Availability and reliability of IT services can directly influence customer satisfaction

and reputation of banks. Therefore Availability Management is essential in ensuring
that the IT delivers the “right level” of service required by the business to satisfy its
objectives. The process provides framework and guidelines that can be adapted by
banks to ensure that the level of service availability (for all services) is matched, or
exceeds the current and future requirements, as defined in the Service Level
Agreement.

Availability Management process provides guidelines so that

banks can:

Produce and maintain an appropriate up-to-date Availability Plan that reflects the
current and future needs of the business

Ensure that service availability achievements meet or exceed agreed targets, by

managing services and resources-related availability targets

Assist with diagnosis and resolution of availability-related incidents and

problems

Ensure that pro-active measures to improve the availability of services are

implemented wherever it is cost justifiable to do so

When implementing Availability Management processes, banks

should consider including the following:

All operational services and technology, supported by IT Operations function and

for which there is a formal SLA

New services where Service Level Requirement and Agreement have been
established

Aspects of IT's services and components that may impact availability, which may
include training, skills, process effectiveness, procedures and tools
Availability Management process has two key elements:

Reactive activities: The reactive aspect of availability management involves

monitoring, measuring, analysis and management of events, incidents,
problems and changes, involving
unavailability

Proactive activities: This aspect involves planning, design and improvement of

availability

Attributes that can be used by the banks for reporting availability

of IT services, can be:

Availability: The ability of a service, component or CI, to perform the agreed

function when required.

Agreed Service Time - Downtime

Availability (%) = ----------------------------------------- x100 Agreed

Service Time

Downtime should only be included in the above calculation, when it occurs

within the “Agreed Service Time”.

Mean Time Between Service Incidents (MTBSI): MTBSI refers to how long a
service; component or CI can perform its agreed function without interruption.

Available time in hours

MTBSI =-------------------------------------
Number of Breaks

Mean Time Between Failures (MTBF): MTBF refers to how long a service;
component or CI can perform its agreed function without reporting a failure.

Available time in hours – Total downtime in Hours

MTBF =-----------------------------------------------------------------

Number of breaks

Mean Time Between Failures (MTBF): is the mean time between the recovery
from one incident and occurrence of the next incident, it is also known as
uptime. This metric relates to the reliability of the IT Service supported by IT
Operations.

Mean Time to Repair (MTTR): MTTR refers to how quickly and effectively a
service, component or CI can be restored to normal working after failure.

Total downtime in Hours

MTTR =-----------------------------------

Number of breaks

Mean Time to Repair (MTTR): This is the average time between occurrence of a
fault and service recovery. It is also known as downtime. This metric relates to
the recoverability and serviceability of the IT Services supported by IT
Operations.
Vital Business Functions

When defining availability targets for a business service, banks should consider
identifying Vital Business Function (VBF). VBF represents critical business
elements of a process supported by IT services. For example, an ATM will have
following business functions:

Cash dispensing

Reconciliation with the relevant account

Statement printing.
Out of these three, cash dispensing and reconciliation should be considered as vital
business functions, influencing the availability design and associated costs.

Supplier Management

Complex business demands require extensive skills and capabilities from IT to

support business processes, therefore collaboration with service providers and
value networks are an integral part of end-to -end business solution. Supplier
Management process provides framework and guidelines that can be used by
banks to manage relationships with vendors, suppliers and contractors. This
framework ensures that suppliers and services they provide are managed to
support IT service targets and business expectations. The purpose of this
management process is to obtain value for money from suppliers, and to ensure
that suppliers perform to the targets contained within contracts and agreements,
while conforming to all terms and conditions.

Supplier Management process provides guidelines which can be

used by the banks to:

Implement and enforce supplier policies

Maintenance of supplier and contact database

Suppler and contact categorization and risk assessment

Supplier and contract evaluation and selection

Development, negotiation and agreement of contracts

Contract review, renewal and termination

Management of suppliers and supplier performance

Agreement and implementation of service and supplier improvement plans

Maintenance of standard contracts, terms and conditions

Management of contractual dispute resolution

Management of sub-contracted suppliers

iii) Transition

The transition phase provides frameworks and processes that may

be utilised by banks to:

Evaluate service capabilities and risk profile of new or changes service before it
is released into production environment

Evaluate and maintain integrity of all identified service assets and configuration
items required to support the service

Service Asset and Configuration Management

Service Asset and Configuration Management process provides framework and

guidelines that can be used by the banks to manage service assets and
configuration items that supports business services.

The framework provides guidelines to:

Identify, control, record, audit and verify service assets and configuration items,
including service baseline version controls their attributes and relationships.

Manage and protect integrity of service assets and configuration items through
the service lifecycle by ensuring only authorised assets are used and only
authorised changes are made.

Ensure integrity of configuration items required to support business services and

IT infrastructure by establishing and maintaining an accurate and complete
Configuration Management System.

Provide accurate information of configuration items to assist in change and

release management process.

Service asset management manages assets across its lifecycle from acquisition
through disposal. Implementation of Service Asset and Configuration Management
framework has cost and resources implications and therefore strategic discussions
needs to be made about the priorities to be addressed. For instance banks can
decide on initially focusing on the basic IT assets (hardware and software) and the
services and assets that are business critical or covered by legal regulatory
compliance.

Components that can be considered as part of Service Asset and

Configuration Management are:

Configuration Items: These can be a service asset or component, or any item

that is under the control of configuration management. Depending on
established strategy

configuration, the item may vary widely in complexity, size and type. It can
range from an entire service or system to a single software module or a
minor software component.
If desired, banks can define a hierarchical structure for configuration items. For
instance banks can define Core Banking as a configuration item which can have
different application as a subset Configuration Item of the Core Banking
configuration item. Each configuration item can have modules as sub set which
can have two configuration item, these being hosting and application support.
Hosting can then be further sub-divided into configuration item that can be
servers, operating systems, databases, network components.

Configuration Management System: To manage large and complex IT

environment banks may consider implementation of supporting system
known as Configuration Management System. Beside holding information
about configuration items, their components and relationship between
configuration items Configuration Management System can also be used to
correlate services and configuration items; this kind of snapshot will assist in
proactively identifying incidents, events etc.

Secure libraries: Secure library is a collection of software, electronic or

document CIs. Access to items in a secure library is restricted. The secure
library is used for controlling and releasing components throughout the
service lifecycle.

Definitive Media Library: Definitive media library (DML) is a secure library that
may be used to store definitive authorised versions of all media CIs. It stores
master copies of versions that have passed quality assurance checks.

Configuration Baseline: This baseline is the configuration of a service, product or

infrastructure that has been formally reviewed and agreed on, that thereafter
 serves as the basis for further activities and that can be changed only
through formal change procedure. Configuration baseline captures and
represents a set of configuration items that are related to each other.

Snapshot: It defines the current state of configuration items or an environment.

Change Management: This process provides guidelines which can be used by

the banks for handling changes to ensure that the changes are recorded,
assessed, authorised, prioritised, planned, tested, implemented, documented
and reviewed in a controlled manner and environment. The primary objective
of the change management procedures is to ensure assessment of:

Risks

Change authorization

Business Continuity

Change impact

iv) Operations

This phase, as a part of Service Management lifecycle, is responsible for executing

and performing processes that optimise the cost of the quality of services. As a part
of the organisation, it's responsible for enabling businesses to meets objectives. As
a part of technology, it's responsible for effective functioning of components that
support business services.

Event Management

Event Management process provides the guidelines which can be used by the
banks to define the framework for monitoring all the relevant events that occurs
through the IT

infrastructure. It provides the entry point for the execution of many Service
Operations processes and activities.
Event can be defined as any detectable or discernible occurrence that has
significance forthe management of the IT infrastructure, or delivery of IT services.
Event Managementframework when defined will have two
mechanisms for monitoring, these are:

Active Monitoring: Active monitoring is related to polling of business significant

Configuration Items to determine their status and availability. Any diversion from
normal status should be reported to appropriate team for action.

Passive Monitoring: Passive monitoring detects and correlate operational alerts

or communications generated by Configuration Items.

Event Management can be applied to any aspect of Service Management that

needs to be controlled. These components can be:

Configuration Items

Environment conditions

Software licence monitoring

Security breaches

Event Management portfolio can have different kind of event, some

of these are:

Informational: Events signifying regular operations for instance notification that a

scheduled job has completed

Warning: Events signifying diversion from normal course of action, for instance a
user attempting to login with incorrect password. Exceptional events will require
further investigation to determine an environment which may have led to an
exception

Exceptions: Events, which are unusual. Events may require closer monitoring. In
some case the condition will resolve itself. For instance, unusual combinations of
workloads as they are completed, normal operations will restore. In other cases,
operations intervention will be required if the situation is repeated
 Incident Management

An incident is an unplanned interruption to an IT service, or the reduction in the

quality of an IT service. Failure of a configuration item that has not yet impacted
service shall also be an incident.

Incident Management process provides guidelines that can be implemented by the

banks for the management of incidents so that restoration of service operations as
quickly as possible and to minimise adverse impact on business operations. The
primary objective of the Incident Management procedures is to ensure best possible
level of service quality and availability.

Problem Management

Problem Management process provides a framework, which can be implemented

by banks to minimise the adverse impact of incidents on the IT Infrastructure and
the business by identifying root cause, logging known errors, providing and
communicating workarounds, finding permanent solutions, and preventing
recurrence of incidents related to these errors. Problem Management increases
stability and integrity of the infrastructure.

Problem Management process includes activities required to carry out the root
causes of incidents and to determine the resolution to these underlying problems.
Problem management procedures also include implementation of the resolution
through Change

Management procedures and Release Management procedures. This also includes

appropriate turnaround and resolutions to incidents that cannot be resolved due to
business cases, or technical short falls. Periodic trend analysis of the problems in
respect of systems or customer facing channels may be carried out and appropriate
action taken.

Access Management

Access Management process provides the guidelines, which can be implemented

by banks to limit access to IT services only to those individuals and applications that
are duly authorised based on organisational policies and standards. Access
Management enables the organisation to manage confidentiality, integrity of the
organisation’s data, IT infrastructure, and applications.

Various payment an settlement systems

1 The Payment and Settlement Systems Act 2007, set up by the RBI, provides for

the regulation and supervision of payment systems in India and designates the

apex institution (RBI) as the authority for that purpose and all related matters. To

exercise its powers and perform its functions and discharge its duties, the RBI is

authorized under the Act to constitute a committee of its central board, which is

known as the Board for Regulation and Supervision of Payment and Settlement

Systems (BPSS). The Act also provides the legal basis for ‘netting’ and ‘settlement

finality’.

The PSS Act, 2007 received the assent of the President on 20th December 2007

and came into force with effect from 12th August 2008

The PSS Act, 2007 provides for the regulation and supervision of payment systems
in India and designates the Reserve Bank of India (Reserve Bank) as the authority
for that purpose and all related matters. The Reserve Bank is authorized under the
Act to constitute a Committee of its Central Board known as the Board for
Regulation and Supervision of Payment and Settlement Systems (BPSS), to
exercise its powers and perform its functions and discharge its duties under this
statute. The Act also provides the legal basis for “netting” and “settlement finality”.
This is of great importance, as in India, other than the Real Time Gross Settlement
(RTGS) system all other payment systems function on a net settlement basis.
Under the PSS Act, 2007, two Regulations have been made by the Reserve Bank
of India, namely, the Board for Regulation and Supervision of Payment and
Settlement Systems Regulations, 2008 and the Payment and Settlement Systems
Regulations, 2008. Both these Regulations came into force along with the PSS Act,
2007 on 12th August 2008
2. The Board for Regulation and Supervision of Payment and Settlement Systems
Regulation, 2008 deals with the constitution of the Board for Regulation and
Supervision of Payment and Settlement Systems (BPSS), a Committee of the
Central Board of Directors of the Reserve Bank of India. It also deals with the
composition of the BPSS, its powers and functions, exercising of powers on behalf
of BPSS, meetings of the BPSS and quorum, the constitution of
Sub-Committees/Advisory Committees by BPSS, etc. The BPSS exercises the
powers on behalf of the Reserve Bank, for regulation and supervision of the
payment and settlement systems under the PSS Act, 2007.

The Payment and Settlement Systems Regulations, 2008 covers matters like form
of application for authorization for commencing/ carrying on a payment system and
grant of authorization, payment instructions and determination of standards of
payment systems, furnishing of returns/documents/other information, furnishing of
accounts and balance sheets by system provider etc

3. India has multiple payments and settlement systems, both gross and net
settlement systems. For gross settlement India has a Real Time Gross Settlement
(RTGS) system called by the same name and net settlement systems include
Electronic Clearing Services (ECS Credit), Electronic Clearing Services (ECS
Debit), credit cards, debit cards, the National Electronic Fund Transfer (NEFT)
system and Immediate Payment Service.

4.Electronic Payment and Settlement Systems in India

The Reserve Bank of India is doing its best to encourage alternative methods of
payments which will bring security and efficiency to the payments system and make
the whole process easier for banks.
The Indian banking sector has been growing successfully, innovating and trying to
adopt and implement electronic payments to enhance the banking system. Though
the Indian payment systems have always been dominated by paper-based
transactions, e-payments are not far behind. Ever since the introduction of e-
payments in India, the banking sector has witnessed growth like never before.
According to a survey by celent, the ratio of e-payments to paper based
transactions has considerably increased between 2004 and 2008. This has
happened as a result of advances in technology and increasing consumer
awareness of the ease and efficiency of internet and mobile transactions.[2]
In the case of India, the RBI has played a pivotal role in facilitating e-payments by
making it compulsory for banks to route high value transactions through Real Time
Gross Settlement (RTGS) and also by introducing NEFT (National Electronic Funds
Transfer) and NECS (National Electronic Clearing Services) which has encouraged
individuals and businesses to switch ia is clearly one of the fastest growing
countries for payment cards in the Asia-Pacific region. Behavioral patterns of Indian
customers are also likely to be influenced by their internet accessibility and usage,
which currently is about 32 million PC users, 68% of whom have access to the net.
However these statistical indications are far from the reality where customers still
prefer to pay "in line" rather than online, with 63% payments still being made in
cash. E-payments have to be continuously promoted showing consumers the
various routes through which they can make these payments like ATM’s, the
internet, mobile phones and drop boxes.
Due to the efforts of the RBI and the (BPSS) now over 75% of all transaction
volume are in the electronic mode, including both large-value and retail payments.
Out of this 75%, 98% come from the RTGS (large-value payments) whereas a
meager 2% come from retail payments. This means consumers have not yet
accepted this as a regular means of paying their bills and still prefer conventional
methods. Retail payments if made via electronic modes are done by ECS (debit and
credit), EFT and card payments.[2]

5.Electronic Clearing Service (ECS Credit)

Known as "Credit-push" facility or one-to-many facility this method is used mainly

for large-value or bulk payments where the receiver’s account is credited with the
payment from the institution making the payment. Such payments are made on a
timely-basis like a year, half a year, etc. and used to pay salaries, dividends or
commissions. Over time it has become one of the most convenient methods of
making large payments.

6. Electronic Clearing Services (ECS Debit)

Known as many-to-one or "debit-pull" facility this method is used mainly for small
value payments from consumers/ individuals to big organizations or companies. It
eliminates the need for paper and instead makes the payment through
banks/corporates or government departments. It facilitates individual payments like
telephone bills, electricity bills, online and card payments and insurance payments.
Though easy this method lacks popularity because of lack of consumer awareness.

7.Credit cards and Debit cards

As mentioned above India is one of the fastest growing countries in the plastic
money segment. Already there are 130 million cards in circulation, which is likely to
increase at a very fast pace due to rampant consumerism. India’s card market has
been recording a growth rate of 30% in the last 5 years. Card payments form an
integral part of e-payments in India because customers make many payments on
their card-paying their bills, transferring funds and shopping.
Ever since Debit cards entered India, in 1998 they have been growing in number
and today they consist of nearly 3/4th of the total number of cards in circulation.
Credit cards have shown a relatively slower growth even though they entered the
market one decade before debit cards. Only in the last 5 years has there been an
impressive growth in the number of credit cards- by 74.3% between 2004 and 2008.
It is expected to grow at a rate of about 60% considering levels of employment and
disposable income. Majority of credit card purchases come from expenses on
jewellery, dining and shopping.
Another recent innovation in the field of plastic money is co branded credit cards,
which combine many services into one card-where banks and other retail stores,
airlines, telecom companies enter into business partnerships. This increases the
utility of these cards and hence they are used not only in ATM’s but also at Point of
sale (POS) terminals and while making payments on the net.

8.Real-time gross settlement

The acronym 'RTGS' stands for real time gross settlement. The Reserve Bank of
India (India's Central Bank) maintains this payment network. Real Time Gross
Settlement is a funds transfer mechanism where transfer of money takes place from
one bank to another on a 'real time' and on 'gross' basis. This is the fastest possible
money transfer system through the banking channel. Settlement in 'real time'
means payment transaction is not subjected to any waiting period. The transactions
are settled as soon as they are processed. 'Gross settlement' means the
transaction is settled on one to one basis without bunching with any other
transaction. Considering that money transfer takes place in the books of the
Reserve Bank of India, the payment is taken as final and irrevocable.
Fees for RTGS vary from bank to bank. RBI has prescribed upper limit for the fees
which can be charged by all banks both for NEFT and RTGS. Both the remitting and
receiving must have core banking in place to enter into RTGS transactions. Core
Banking enabled banks and branches are assigned an Indian Financial System
Code (IFSC) for RTGS and NEFT purposes. This is an eleven digit alphanumeric
code and unique to each branch of bank. The first four letters indicate the identity of
the bank and remaining seven numerals indicate a single branch. This code is
provided on the cheque books, which are required for transactions along with
recipient's account number.
RTGS is a large value (minimum value of transaction should be ₹2,00,000) funds
transfer system whereby financial intermediaries can settle interbank transfers for
their own account as well as for their customers. The system effects final settlement
of interbank funds transfers on a continuous, transaction-by-transaction basis
throughout the processing day. Customers can access the RTGS facility between 9
am to 4:30 pm (Interbank up to 6:30 pm) on weekdays and 9 am to 2:00 pm
(Interbank up to 3:00 pm) on Saturdays. However, the timings that the banks follow
may vary depending on the bank branch. Time Varying Charges has been
introduced w.e.f. 1 October 2011 by RBI. The basic purpose of RTGS is to facilitate
the transactions which need immediate access for the completion of the transaction.
Banks could use balances maintained under the cash reserve ratio (CRR) and the
intra-day liquidity (IDL) to be supplied by the central bank, for meeting any
eventuality arising out of the real time gross settlement (RTGS). The RBI fixed the
IDL limit for banks to three times their net owned fund (NOF).
The IDL will be charged at ₹25 per transaction entered into by the bank on the
RTGS platform. The marketable securities and treasury bills will have to be placed
as collateral with a margin of five per cent. However, the apex bank will also impose
severe penalties if the IDL is not paid back at the end of the day.
The RTGS service window for customer's transactions is available from 8:00 hours
to 19:00 hours on week days and from 8:00 hours to 13:00 hours on Saturdays.
No Transaction on weekly holidays and public holidays.
Service Charge for RTGS
a) Inward transaction– no charge to be levied.
b) Outward transactions –
- For transactions of ₹2 lakhs to ₹5 lakhs -up to ₹25 per transaction plus
applicable Time Varying Charges (₹1/- to ₹5/-); total not exceeding ₹30 per
transaction, (+ GST).
- Above ₹5 lakhs - ₹50 per transaction plus applicable Time Varying Charges
(₹1/- to ₹5/-); total charges not exceeding ₹55 per transaction, (+ GST).
No time varying charges are applicable for RTGS transactions settled up to 1300
hrs.

9.National Electronic Funds Transfer (NEFT)

Started in Nov.-2005,[1] the National Electronic Fund Transfer (NEFT) system is a

nationwide system that facilitates individuals, firms and corporates to electronically
transfer funds from any bank branch to any individual, firm or corporate having an
account with any other bank branch in the country.It is done via electronic
messages. Even though it is not on real time basis like RTGS (Real Time Gross
Settlement), hourly batches are run in order to speed up the transactions.
For being part of the NEFT funds transfer network, a bank branch has to be NEFT-
enabled. NEFT has gained popularity due to it saving on time and the ease with
which the transactions can be concluded. As at end-January 2011, 74,680 branches
/ offices of 101 banks in the country (out of around 82,400 bank branches) are
NEFT-enabled. Steps are being taken to further widen the coverage both in terms of
banks and branches offices. As on 30.12.2017 total no of NEFT enabled branches
are increased to 139682 of 188 Banks.
(https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=112)

10.Indo-Nepal Remittance Facility Scheme

Indo-Nepal Remittance Facility is a cross-border remittance scheme to transfer
funds from India to Nepal, enabled under the NEFT Scheme. The scheme was
launched to provide a safe and costefficient avenue to migrant Nepalese workers in
India to remit money back to their families in Nepal. A remitter can transfer funds up
to ₹50,000 (maximum permissible amount) from any of the NEFTenabled branches
in India.The beneficiary would receive funds in Nepalese Rupees.

11.Immediate Payment Service (IMPS)

Immediate Payment Service (IMPS) is an initiative of National Payments

Corporation of India (NPCI). It is a service through which money can be transferred
immediately from one account to the other account, within the same bank or
accounts across other banks. Upon registration, both the individuals are issued an
MMID(Mobile Money Identifier) Code from their respective banks. This is a 7 digit
numeric code. To initiate the transaction, the sender in his mobile banking
application need to enter the registered mobile number of the receiver, MMID of the
receiver and amount to be transferred. Upon successful transaction, the money
gets credited in the account of the receiver instantly. This facility is available 24X7
and can be used through mobile banking application. Some banks have also started
providing this service through internet banking profile of their customers. Though
most banks offer this facility free of cost to encourage paperless payment system,
ICICI bank and Axis bank charge for it as per their respective NEFT charges.
Nowadays, money through this service can be transferred directly also by using the
receiver's bank account number and IFS code. In such case, neither the receiver of
the money need to be registered for mobile banking service of his bank, nor does
he need MMID code. IMPS facility differs from NEFT and RTGS as there is no time
limit to carry out the transaction. This facility can be availed 24X7 and on all public
and bank holidays including RBI holidays.

12.Bharat Bill Payment System

Bharat Bill Payment System(BBPS) is an integrated bill payment system in India

offering interoperable and accessible bill payment service to customers through a
network of agents, enabling multiple payment modes, and providing instant
confirmation of paymentThis is still in implementation stage. Guidelines for
implementation of this system were issued on November 28, 2014.
13.Channels of e-payment

In their effort to enable customers to make payments the electronic way banks have
developed many channels of payments viz. the internet, mobiles, ATM’s (Automated
Teller Machines) and drop boxes.
The internet as a channel of payment is one of the most popular especially among
the youth. Debit and credit payments are made by customers on various bank’s
websites for small purchases,(retail payments) and retail transfers( ATM transfers).
ATM’s serve many other purposes, apart from functioning as terminals for
withdrawals and balance inquiries, such as payment of bills through ATM’s,
applications for cheques books and loans can also be made via ATM’s.
Banks also provide telephone and mobile banking facilities. Through call agents
payments can be made and as the number of telephone and mobile subscribers are
expected to rise, so is this channel of payment expected to gain popularity.
Drop boxes provide a solution to those who have no access to the internet or to a
telephone or mobile. These drop-boxes are kept in the premises of banks and the
customers can drop their bills along with the bill payment slips in these boxes to be
collected by third party agents[

14.Role of the RBI in encouraging e-payments

As the apex financial and regulatory institution in the country it is compulsory for the
RBI to ensure that the payments system in the country is as technologically
advanced as possible and in view of this aim, the RBI has taken several initiatives
to strengthen the e-payments system in India and encourage people to adopt it.
Raghuram Rajan, Ex-Governor, RBI, and Nandan Nilekani, Ex-Chairman, UIDAI
and Advisor, NPCI, and at the launch of Unified Payments Interface (UPI) in
Mumbai.
Imagine paying for everyday purchases directly from your bank, without the need
for carrying cash. The RBI's new interface helps you do just that. Reserve Bank of
India Governor Raghuram Rajan launched the Unified Payments Interface (UPI)
system, as its latest offering in boosting digital money transfers.
The interface has been developed by National Payments Corporation of India
(NPCI), the umbrella organisation for all retail payments in the country. The UPI
seeks to make money transfers easy, quick and hassle free.

• The Payment and Settlement Systems Act, 2007 was a major step in this
direction. It enables the RBI to "regulate, supervise and lay down policies
involving payment and settlement space in India." Apart from some basic
instructions to banks as to the personal and confidential nature of customer
payments, supervising the timely payment and settlement of all transactions, the
RBI has actively encouraged all banks and consumers to embrace e-payments.
• In pursuit of the above-mentioned goal the RBI has granted NBFC’s (Non-
Banking Financial Companies) the permission to issue co branded credit cards
forming partnerships with commercial banks.
• The Kisan Credit Card Scheme was launched by NABARD in order to meet the
credit needs of farmers, so that they can be free of paper money hassles and
use only plastic money.
• A domestic card scheme known as RuPay has recently been started by the
National Payments Corporation of India (NPCI),promoted by RBI and Indian
Banks Association (IBA), inspired by Unionpay in China, which will be promoting
the use of cards ie. "plastic money". Initially functioning as an NPO, Rupay will
focus on potential customers from rural and semi-urban areas of India. Rupay
will have a much wider coverage than Visa, MasterCard or American Express
cards which have always been used for card-based settlements.
• The NREGA (National Rural Employment Guarantee Scheme) introduced by the
Government will ensure rural employment in turn ensuring that the employees
get wages. Each employee will have a smart card functioning as his personal
identification card, driver’s license, credit card which will also function as an
electronic pass book, thus familiarising the rural populations with epayments[2]
However, the Indian banking system suffers from some defects due to certain socio-
cultural factors which hampers the spread of the e-payments culture even though
there are many effective electronic payment channels and systems in place.
Despite the infrastructure being there nearly 63% of all payments are still made in
cash. A relatively small percentage of the population pays their bills electronically
and most of that population is from urban India-the metropolitans. Also in some
cases the transaction is done partially online and partially "offline". The main reason
for this apathy to switch to e-payments comes from lack of awareness of the
customer despite various efforts by the Government.
15. Block Chain Technology : ICICI Bank is the first bank in the country and among
the first few globally to exchange and
authenticate remittance transaction messages as well as original international
trade documents related to purchase order, invoice, shipping & insurance,
among others, electronically on block chain in real time.
The usage of block chain technology simplifies the process and makes it almost
instant—to only a few minutes. Typically, this
process takes a few days. The block chain application co-created by ICICI Bank
replicates the paperintensive international trade
finance process as an electronic de centralised ledger, that gives all the
participating entities including banks the ability to access a single source of
information.
CODE NAME DIGITS
IFSC - Indian Financial System Code 11
MICR -Magnetic Ink Character Recognition 09
SWIFT-Society for worldwide interbank Financial Telecommunication ) 11
PAN- Permanent Account no. 10
UID /UAN – unique Identification Number 12
PIN – Postal Index Number 6
CIN-Cheque Identification Number 7
BIC ( BANK IDENTIFICATION NUMBER) 8

16. PREPAID PAYMENT INSTRUMENTS : Eligibility : Banks who comply with the
eligibility criteria would be permitted to issue all
categories of pre-paid payment instruments. Non-Banking Financial Companies
(NBFCs) and other persons would be permitted to
issue only semi-closed system payment instruments. Capital requirements : Banks
and Non-Banking Financial Companies which
comply with the Capital Adequacy requirements prescribed by Reserve Bank of
India from time-totime, shall be permitted to issue
pre-paid payment instruments. All other persons shall have a minimum paid-up
capital of Rs 100 lakh and positive net owned
funds. Safeguards against money laundering (KYC/AML/CFT) provisions - The
maximum value of any pre-paid payment instruments (where specific limits have not
been prescribed including the amount transferred) shall not exceed Rs 100,000/-.
Deployment of Money collected: Non-bank persons issuing payment instruments
are required to maintain their outstanding balance
in an escrow account with any scheduled commercial bank subject to the
following conditions:- The amount so maintained shall be used only for making
payments to the participating merchant establishments. No interest is payable by
the bank on such balances.
Validity: All pre-paid payment instruments issued in the country shall have a
minimum validity period of six months from the date
of activation/issuance to the holder. The outstanding balance against any
payment instrument shall not be forfeited unless the holder is cautioned at least
15 days in advance as regards the expiry of the validity of the payment
instrument.

17.Money Transfer Service Scheme (MTSS) : The Reserve Bank has issued Master
Directions relating to Money Transfer Service
Scheme (MTSS), which is a quick and easy way of transferring personal
remittances from abroad to beneficiaries in India.
MTSS can be used for inward personal remittances into India, such as,
remittances towards family maintenance and remittances favouring foreign
tourists visiting India and not for outward remittance from India.
The system envisages a tie-up between reputed money transfer companies abroad
known as
Overseas Principals and agents in
India known as Indian Agents who would disburse funds to beneficiaries in India at
ongoing exchange rates. The Indian Agents can
in turn also appoint sub-agents to expand their network. The Indian Agent is not
allowed to remit any amount to the Overseas Principal. Under MTSS, the remitters
and the beneficiaries are individuals only.
 The Reserve Bank of India may accord necessary permission (authorisation) to any
person to act as an Indian Agent under the
Money Transfer Service Scheme. No person can handle the business of cross-
border money transfer to India in any capacity unless specifically permitted to do so
by the RBI.
To become MTSS agent, min net owned funds Rs.50 lac. MTSS cap USD 2500 for
individual remittance. Max remittances 30 received by an individual in India in a
calendar year. Min NW of overseas principal USD 01 million, as per latest balance
sheet.
18. IMPS

IMPS offer an instant,24*7 interbank electronic fund transfer service capable of

processing person to person, person to account and person to merchant
remittances via mobile, internet and atms. It is a multichannel and multidimensional
platform that make the payments possible within fraction of seconds with all the
standards and integrity maintained for security required for even high worth
transactions.

MMID - Mobile Money Identifier

Each MMID is a 7 digit code linked to a unique Mobile Number. Different MMIDs
can be linked to same Mobile Number.
Both Sender & Receiver have to register for Mobile Banking & get a unique
ID called "MMID" • Generation of MMID is a One-time process.
• Remitter (Sender) transfer funds to beneficiary (Receiver) using Mobile no. & 7digit
MMID of
beneficiary.

IFS Code
11 digit alphanumeric number, available in the users Cheque book.

IMPS Fund transfer/Remittance options:

 Using Mobile number & MMID (P2P)

 Using Account number & IFS Code (P2A)
 Using Aadhaar number (ABRS)
 Using Mobile number & MMID (P2P)
 Customer Initiated - P2M(Push)
 Merchant Initiated - P2M(Pull)

Using Mobile number & MMID (P2P)

Presently, IMPS Person-to-Person (P2P) funds transfer requires the Remitter
customer to make funds transfer using Beneficiary Mobile Number and MMID. Both
Remitter as well as Beneficiary needs to register their mobile number with their
respective bank account and get MMID, in order to send or receive funds using
IMPS.

Using Account number & IFS Code (P2A)

There may be cases where Remitter is enabled on Mobile Banking, but Beneficiary
mobile number is not registered with any bank account. In such cases, Remitter
shall not be able to send money to the Beneficiary using Mobile Number & MMID.
Hence on the merit of the feedback received from the banking community as well as
to cater the above mentioned need, the IMPS funds transfer has been made
possible using Beneficiary account number and IFS code as well, in addition to
Beneficiary mobile number and MMID.

Customer Initiated - P2M(Push)

IMPS Merchant Payments (P2M - Person-to-merchant) service allows customers to
make instant, 24*7, interbank payments to merchants or enterprises via mobile
phone. IMPS enables mobile banking users a facility to make payment to merchants
and enterprises, through various access channels such as Internet, mobile Internet,
IVR, SMS, USSD. Sender enter details of merchant's (Customer initiated - Push)
• Merchant Mobile Number & MMID
• Amount to be transferred
• Payment reference (optional)
• Sender's M-PIN

Merchant Initiated - P2M(Pull)

IMPS Merchant Payments (P2M - Person-to-Merchant) service allows customers to
make instant, 24*7, interbank payments to merchants or enterprises via Mobile &
Internet. IMPS enables mobile banking users a facility to make payment to
merchants and enterprises, through various access channels such as Internet,
mobile Internet, IVR, SMS, USSD.
Customer enter own details (Merchant Initiated - Pull)
• Customer own Mobile Number
• Customer own MMID
• OTP (generated from the Issuer Bank)

19.Unified Payments Interface ("UPI")

Unified Payments Interface (UPI) is a payment system launched by
National Payments Corporation of India and regulated by Reserve Bank of India.
UPI is a payment system that allows money transfer between any two
bank accounts by using a smartphone.
 UPI allows a customer to pay directly from a bank account to different
merchants, both online and offline, without the hassle of typing credit card
details, IFSC code, or net banking/wallet passwords
One needs to download the app from Play Store and install in phone; Set app
login;
Create virtual address; Add bank account; Set M-Pin; and Start transacting using
UPI
It is safe as the customers only share a virtual address and provide no other
sensitive information.
All merchant payments, remittances, bill payments among others can be
done through UPI.
The per transaction limit is Rs.1 lakh.
A user can make an in-app payment for goods or services purchased online.
For instance a site allows purchase of a movie-on-demand.
User clicks buy, the site/app triggers the UPI payment link and
is taken to the pay screen of the UPI app, where the transaction
information is verified and a click followed by entry of a secure PIN
completes the purchase. 26 major banks in India offer this facility
to their customers.

The launch of the Unified Payments Interface ("UPI") by National Payments

Corporation of India ("NPCI"), has provided an impetus to India's move to
incentivize digital payments with the vision to transform India into a digitally
empowered economy and reduce dependence on cash transactions. NPCI is the
umbrella body for all payment systems in India, which makes digital transactions as
effortless as sending a text message.

UPI makes cutting-edge changes by supporting real time transfer of money

between accounts across banks using smartphones by use of just one single
interface besides creating interoperability and superior customer experience.
Embracing the smartphone boom in India and the inclination of customers to move
to digital mobile-based solutions, UPI addresses the challenges and limitations of
the existing payment systems, wherein customers are required to disclose sensitive
financial details like bank account details, IFSC code, credit/debit card details and
sensitive PIN numbers while initiating transactions and juggle between different
mobile banking applications with their different user IDs and passwords.

Unified Payments Interface (UPI) is an instant payment system developed by the

National Payments Corporation of India (NPCI), an RBI regulated entity. UPI is built
over the IMPS infrastructure and allows you to instantly transfer money between
any two parties' bank accounts.

UPI-PIN
 UPI-PIN (UPI Personal Identification Number) is a 4-6 digit pass code you
create/set during first time registration with this App .You have to enter this UPI-
PIN to authorize all bank transactions. If you have already set up an UPI-PIN
with other UPI Apps you can use the same on BHIM. (Note: Banks issued MPIN
is different from the UPI UPI-PIN, please generate a new UPI-PIN in the BHIM
app) Note: Please do not share your UPI-PIN with anyone. BHIM does not store
or read your UPI-PIN details and your bank's customer support will never ask
for it.

Payment Address
Payment Address is an Address which uniquely identifies a person's bank a/c.
For instance, the Payment Address for BHIM customers is in the format
xyz@upi. You can just share your Payment Address with anyone to receive
payments (no need for bank account number/ IFSC code, etc.). You can also
send money to anyone by using their Payment Address. Note: Do not share
your confidential UPI PIN with anyone.

Virtual Payment address eliminates the need to provide sensitive information

like a bank account details, debit/credit card details and CVV numbers. Also,
unlike a mobile wallet, a customer is not required to set aside funds upfront in
the mobile wallet setup with the service provider and all transfers under the UPI
are made from the bank account linked with your virtual payment address. A
virtual payment address is an identifier that will be mapped to a customers bank
account, enabling the bank providing the UPI services to process transactions
through the bank account linked with the respective virtual payment address.

Data Security
In terms of data security, UPI provides for a single click two-factor authorization,
which implies that with one click, the transaction is authenticated at 2 levels,
compliant with the existing regulatory guidelines issued by the Reserve Bank of
India ("RBI"), without disclosing banking or personal information. As UPI
primarily works based on an individual's 'virtual payment address', one can
send and receive payments solely based on their 'virtual payment address'
without providing any additional details. For example if you need to make a
payment to a merchant for purchases made at a store, you will need to provide
him only your 'virtual payment address', the merchant will then enter your
'virtual payment address' into his UPI app, the UPI app will send an
authentication messages to the 'virtual payment address' linked to your mobile
device, once your receive and acknowledge the message by entering your
password will the transaction be completed and the amount payable to the
merchant will be debited from your bank account.

Aggregator of all accounts

 UPI acts as an aggregator of all accounts held by a customer enabling such
customers to make transactions from multiple accounts owned by them, from
one single mobile application or web interface and a customer is free to choose
to use any bank's UPI application. Consequently, a customer can own multiple
virtual payment addresses wherein each virtual payment address can be linked
to a specific account and organise payments or collections, the way it suits
them. Moreover, special instructions like setting an upper limit for payments on
certain handles, and restriction of merchants or outlets at which a certain
handle can be used, and standing payment instructions make the whole
process very useful to customers.
The banks offering UPI services are required to be authorised by the RBI to
provide mobile banking services. It is significant to note that even though the
RBI has not issued any specific guidelines on the provision of UPI services, the
transactions undertaken through use of UPI are required to be compliant with
the guidelines issued by RBI including but not limited to, customer registration
process and KYC guidelines.
How UPI / BHIM at POS works?

 This innovative dynamic QR-code based solution uses the store's existing
credit/debit card POS terminal to enable UPI-based cashless payments.

 When a customer requests UPI Payment mode, the cashier simply needs to
select the 'UPI Payment' option on his existing card POS terminal and inputs
the relevant bill payment amount.

 This triggers the generation of a dynamic QR-code on the POS terminal

screen itself which can be scanned into any mobile-based UPI-apps like
BHIM used by the customer.

 When scanned, the QR code automatically transfers relevant transaction

details and displays it on the customer's payment app for authorizing
payment transfer.

 Once the payment transfer from customer's UPI-linked bank account to

store's UPI-linked account is completed, the payment solution triggers a
settlement confirmation to the initiating in-store POS terminal for printing out
a transaction completion charge slip.

Benefits:
By enabling such a UPI payment confirmation on the merchant POS terminal itself,
the new in-store UPI interface addresses a long standing implementation hurdle
holding back faster spread of UPIacceptance in large multi-lane retail stores.

With multiple checkout points, the cashiers in these stores have no direct means of
payment receipt prior to releasing the purchased goods to the customer. This is
unlike a small single cashier store where such a confirmation could be received via
a simple text message to the single cashier's own mobile phone.

The new solution enables the crucial payment confirmation to be received on

cashier-independent infrastructure like the store POS terminal - a necessity for
multi-cashier stores with high cashier churn. Usage of a Dynamic QR with the
merchant VPA (Virtual Private Address) or UPI ID and amount embedded in it
eliminates the need for typing in of the customer or merchant credentials in the
POS.

This process offers convenience besides eliminating the cumbersome and error-
prone process of typing out credentials.

Key points about UPI

1. How is UPI different from IMPS?

 UPI is providing additional benefits to IMPS in the following ways:
 Provides for a P2P Pull functionality
 Simplifies Merchant Payments  Single APP for money transfer
 Single click two factor authentication
2. Does a customer need to register before remitting funds using UPI?
Yes, a customer needs to register with his/her PSP before remitting funds
using UPI and link his accounts

3. Does the customer need to register a beneficiary before transferring funds

through UPI? What details of beneficiary will be required?
No, registration of Beneficiary is not required for transferring funds through
UPI as the fund would be transferred on the basis of Virtual ID/
Account+IFSC / Mobile No+MMID / Aadhaar Number. (Please check with
your PSP and Issuing bank with regard to the services enabled on the App).

4. Can I link more than one bank account to the same virtual address?
Yes, several bank accounts can be linked to the same virtual address
depending on the functionalities being made available by the respective
 PSPs.If the selected Bank name to link with UPI does not find your bank a/c,
please ensure that the mobile number linked to your bank account is same
as the one verified in BHIM App. If it is not the same, your bank accounts will
not be fetched by the UPI platform. Only Savings and Current bank accounts
are supported by BHIM.

5. What are the different channels for transferring funds using UPI?
 The different channels for transferring funds using UPI are:
 Transfer through Virtual ID
 Account Number + IFSC
 Mobile Number + MMID
 Aadhaar Number
 Collect / Pull money basis Virtual ID

6. What is the limit of fund transfer using UPI?

At present, the upper limit per UPI transaction is Rs. 1 Lakh.

20. Bharat Interface for Money (BHIM)

The Bharat Interface for Money (BHIM) was rolled out by Prime Minister
Narendra Modi on 30th December 2016, in an initiative to enable fast,
secure and reliable cashless payments through mobile phones.
BHIM is inter-operable with other Unified Payment Interface (UPI)
applications and bank accounts, and has been developed by the National
Payments Corporation of India (NPCI).
The Android app is already available on the Google Play Store. As it is
Aadhaarenabled, the app puts an end to the fuss around other e-wallets.
Moreover, an iOS version will be launched soon. One must get their bank
accounts registered along with a UPI Pin for their account.
On the BHIM app, it would be <mobile number@upi> or <preferred user
id@upi>. This user id would be your primary address, which can be used to
send or request money through other ids linked to it.
The BHIM App supports about 35 banks.

Bharat Interface for Money (BHIM) is an app that lets you make simple, easy and
quick payment transactions. BHIM is a digital payments solution app based on the
Unified Payments Interface (UPI) from the National Payments Corporation of India
(NPCI), the umbrella organisation for all retail payments systems in India. You can
easily make direct bank to bank payments instantly and collect money using just
Mobile number or Payment address.
BHIM being UPI-based, is linked directly to a bank account. All the payee needs is a
bank account. If this account is UPI activated, you can just ask for the payee’s
Virtual Payment Address (VPA), and make the payment to that account.Otherwise,
there’s the option of IFSC or MMID for sending or receiving money. The advantage
is there’s no need to remember an account number, or to share it with anyone. The
VPA is all that is needed.

If you have signed up for UPI-based payments on your bank account, which is also
linked to your mobile phone number, you’ll be able to use the BHIM app to carry out
digital transactions. Services available are as follows:

The following are the features of BHIM:

1. Send Money: User can send money using a Virtual Payment Address (VPA),
Account Number & IFSC, Aadhaar Number or QR code.

2. Request Money: User can collect money by entering Virtual Payment Address
(VPA). Additionally through BHIM App, one can also transfer money using
Mobile No. (Mobile No should be registered with BHIM or *99# and account
should be linked)

3. Scan & Pay: User can pay by scanning the QR code through Scan & Pay &
generate your QR option is also present.

4. Transactions: User can check transaction history and also pending UPI collect
requests (if any) and approve or reject. User can also raise complaint for the
declined transactions by clicking on Report issue in transactions.

5. Profile: User can view the static QR code and Payment addresses created or
also share the QR code through various messenger applications like
WhatsApp, Email etc. available on phone and download the QR code.

6. Bank Account: User can see the bank account linked with his/her BHIM App
and set/change the UPI PIN. User can also change the bank account linked
with BHIM App by clicking Change account provided in Menu and can also
check Balance of his/her linked Bank Account by clicking “REQUEST
BALANCE”

7. Language: Up to 8 regional languages (Tamil, Telugu, Bengali, Malayalam,

Oriya, Gujarati, Kannada ,Hindi) available on BHIM to improve user
experience.

8. Block User: Block/Spam users who are sending you collect requests from
illicit sources.
9. Privacy: Allow a user to disable and enable mobilenumber@upi in the profile if
a secondary VPA is created (QR for the disabled VPA is also disabled).

Unique features of BHIM:

•QR code based scan & pay option available, Generate your own QR code
option is also available
• Option to save your beneficiaries for future references
• Access transaction history and Request Balance anytime
• Create, reset or change UPI PIN
• Report Issue and call Bank facilities are given to lodge complaints
• FAQ section is created in the app to answer all the queries reg. BHIM
• Available in 2 languages English and Hindi
Benefits of BHIM:

• Single App for sending and receiving money and making merchant payments
• Go cashless anywhere anytime
• Added security of Single click 2 factor authentication
• Seamless money collection through single identifiers, reduced risks, real time
• Mobile no. or Name used to create VIRTUAL PAYMENT ADDRESS (VPA)
• Best answer to Cash on Delivery hassle
• Send and collect using VIRTUAL PAYMENT ADDRESS (VPA) or A/c no &
IFSC.
• Payments through single app in your favourite language.  24X7, 365 days
instantaneous money transfer

Transfer Limits:

• Maximum limit per transaction is Rs. 10,000 per transaction

• Maximum limit per day is Rs. 20,000
• There is limit of 20 transactions per account per bank.

21. National Automated Clearing House (NACH)

National Payments Corporation of India (NPCI) has implemented
“National Automated Clearing House (NACH)” for Banks, Financial
Institutions, Corporates and Government a web based solution to facilitate
interbank, high volume, electronic transactions which are repetitive and
periodic in nature.
ECS will be replaced with NACH from 1.4.2016.
NACH system will provide a national footprint and is expected to cover
the entire core banking enabled bank branches spread across the
geography of the country irrespective of the location of the bank branch.
NACH System can be used for making bulk transactions towards
distribution of subsidies, dividends, interest, salary, pension etc. and also
for bulk transactions towards collection of payments pertaining to
telephone, electricity, water, loans, investments in mutual funds,
insurance premium etc.
NACH’s Aadhaar Payment Bridge (APB) System has been channelizing
the Government subsidies and benefits to the intended beneficiaries
using their Aadhaar numbers. The APB System links the Government
Departments and their sponsor banks on one side and beneficiary
banks and beneficiary on the other hand.

22. Cheque Truncation System (CTS) or Image-based Clearing System (ICS), in

India, is a project of the Reserve Bank of India (RBI), commencing in 2010, for
faster clearing of cheques. CTS is based on a cheque truncation or online image-
based cheque clearing system where cheque images and magnetic ink character
recognition (MICR) data are captured at the collecting bank branch and transmitted
electronically.

Cheque truncation means stopping the flow of the physical cheques issued by a
drawer to the drawee branch. The physical instrument is truncated at some point
en-route to the drawee branch and an electronic image of the cheque is sent to the
drawee branch along with the relevant information like the MICR fields, date of
presentation, presenting banks etc. This would eliminate the need to move the
physical instruments across branches, except in exceptional circumstances,
resulting in an effective reduction in the time required for payment of cheques, the
associated cost of transit and delays in processing, etc., thus speeding up the
process of collection or realization of cheques.

CTS has been implemented in New Delhi, Chennai and Mumbai with effect from
February 1, 2008, September 24, 2011 and April 27, 2013 respectively. After
migration of the entire cheque volume from MICR system to CTS, the traditional
MICR-based cheque processing has been discontinued across the country. The
CTS-2010 compliant cheques are both image friendly and have enhanced security
features. All banks providing cheque facility to their customers have been advised to
issue only 'CTS2010' standard cheques. Cheques not complying with CTS-2010
standards would be cleared at less frequent intervals i.e. weekly once from
November 1, 2014 onwards.
Banks derive multiple benefits through the implementation of CTS, like a faster
clearing cycle meaning technically possible realization of proceeds of a cheque
within the same day. It offers better reconciliation/ verification, better customer
service and enhanced customer window. Operational efficiency provides a direct
boost to bottom lines of banks as clearing of local cheques is a high cost low
revenue activity. Besides, it reduces operational risk by securing the transmission
route. Centralized image archival systems ensure that data storage and retrieval is
easy. Reduction of manual tasks leads to reduction of errors. Real-time tracking and
visibility of the cheques, less frauds with secured transfer of images to the RBI are
other benefits that banks derive from this solution

Initiatives by Government of India for Propagating e-Banking

For growth and development and to promote e-banking in India the Indian
government and RBI have been taken several initiatives.
The Government of India enacted the IT Act, 2000 with effect from October 17,
2000 which provided legal recognition to electronic transactions and other means of
electronic commerce.
The Reserve Bank monitors and reviews the legal requirements of e-banking
on a continuous basis to ensure that challenges related to e-banking may not
pose any threat to financial stability of the nation
Dr. K.C. Chakrabarty Committee including members from IIM, IDRBT, IIT and
Reserve Bank prepared the IT Vision Document- 2011-17, which provides an
indicative road map i.e. guidelines to enhance the usage of IT in the banking sector.
The Reserve Bank is striving to make the payment systems more secure and
efficient. It has advised banks and other stakeholders to strengthen the security
aspects in internet banking by adopting certain security measures in a timely
manner. RBI believes that the growing popularity of these alternate channels of
payments (such as: Internet Banking, Mobile Banking, ATM etc.) brings an
additional responsibility on banks to ensure safe and secure transactions through
these channels.
National Payments Corporation of India (NPCI) was permitted by the RBI to
enhance the number of mobile banking services and widen the IMPS (Immediate
Payment Service)nchannels like ATMs, internet, mobile etc. Along with this, NPCI
is also working to bring more mobile network operators which can provide mobile
banking services through a common platform.

There has been a dramatic surge in the volume and value of mobile transactions in
the recent past.
MoM increase in no. of transactions from Dec14 to Dec 15 was 135% and Dec 15
to Dec 16 was 182%. MoM increase in value of transactions from Dec 14 to Dec 15
was 330% and Dec 15 to Dec 16 was 178%.
The future:
In the backdrop of demonetization- a colloquial term for the withdrawal of 86
percent of the value of India’s currency in circulation by the Government of India
since 8th November 2016 followed by digital push for ‘less cash’ economy, a
dramatic multi-fold rise in e-banking transactions and especially mobile banking
transactions, is expected in the near future.
Interactive Technology for Banks
With the launch of sbiINTOUCH on 1st July, 2014, State Bank of India was the first
Bank in India to introduce the concept of "Digital Banking". State of the art
technology like Debit Card Printing Kiosks, Interactive Smart Tables, Interactive
Digital Screens, Remote Experts through video call etc were introduced to providing
a completely different experience through online self-service mode. The key feature
of these branches is that one can open one’s savings bank account - Account
Opening Kiosk (AOK) within 15 minutes. Besides that you can have access to a
vast array of Banking related activities and products.
India's first banking robot Lakshmi made her debut in November 2016 by City Union
Bank, the artificial intelligence powered robot will be the first on-site bank helper.
Lakshmi, which took more than six months to develop, can answer intelligently on
more than 125 subjects. Top private lender HDFC
Bank, which is also experimenting with robots to answer customer queries, is
testing its humanoid at its innovation lab.

ANATOMY OF A COMPUTER

The internal design of computers differs from one model to another. But the basic
components of computer remain the same for all models. To function properly, a
computer needs both hardware and software. Hardware consists of the mechanical
and electronic devices which we can see and touch. Key Board, Monitor, DVD are
some examples for Computer Hardware. The software consists of programs, the
operating systems and the data that reside in the memory and storage devices.
JAVA, Microsoft Office, Open Office are some examples for Computer Software.

A computer mainly performs the following four functions.

1. Receive input – accept information from outside through various input

devices like keyboard, mouse etc.
2. Process information – perform arithmetic or logical operations on the
information.
3. Produce output – communicate information to the outside world through
output devices like monitor, printer etc.
4. Store information – store the information in storage devices like hard disk,
compact disk etc.

A computer has the following three main components.

 a. Input/ Output Unit
b. Central Processing Unit
c. Memory Unit

a) Input/ Output Unit: Computer is a machine that processes the input data
according to a given set of instructions and gives the output. The unit used for
getting the data and instructions into the computer and displaying or printing output
is known as input/ output unit. Keyboard is the main input device while the monitor
is the main output device.

b) Central Processing Unit: Central processing Unit (CPU) is the main component
or ‘brain’ of the computer which performs all the processing of input data. In micro
computers, the CPU is built on a single chip or Integrated Circuit (IC) and is called
Microprocessor. The CPU consists of the following distinct parts:
i. Arithmetic Logic Unit (ALU)
ii. Control Unit (CU)
iii. Registers iv. Buses v. Clock

(i)Arithmetic Logic Unit: The arithmetic logic unit is responsible for all arithmetic
operations like addition, subtraction, multiplication and divisions as well as logical
operations such as less than, equal to and greater than.
 Control Unit: The control unit is responsible for controlling the transfer of data
(ii)
and instructions among other units of a computer. It is considered as the ‘Central
Nervous System’ of computer as it manages and coordinates all the units of the
computer. It obtains the instructions from the memory, interprets them and directs
the operation of the computer.

(iii) Registers: Registers are small high speed circuits which are used to store data,
instructions and memory addresses, when ALU performs arithmetic and logical
operations. Depending on the processor’s capability, the number and type of
registers vary from one CPU to another.

(iv) Buses: Data is stored as a unit of eight bits in a register. Each bit is transferred
from one register to another by means of a separate wire. This group of eight wires
which is used as a common way to transfer data between registers is known as a
bus. Bus is a connection between two components to transmit signal between them.
Bus is of three major types namely data bus, control bus and address bus.

(v) Clock: Clock is an important component of CPU which measures and allocates a
fixed time slot for processing each and every micro-operation. CPU executes the
instructions in synchronization with the clock pulse. The clock speed of CPU is
measured in terms of Mega Hertz or millions of cycles per second. The clock speed
of CPU varies from one model to another.

c) Memory Unit: Memory unit is used to store the data, instructions and information
before, during and after the processing by ALU. It is actually a work area (physically
a collection of integrated circuits) within the computer where the CPU stores the
data and instructions. Memory is of two types:

i. Read Only Memory (ROM)

ii. Random Access Memory (RAM)

(i) Read Only Memory: Read Only Memory is an essential component of the
memory unit. The memory which has essential instructions is known as Read Only
Memory. This memory is permanent and is not erased when the system is switched
off. The memory capacity of ROM varies from 64 KB to 256 KB depending on the
model of computer.

(ii) Random Access Memory: Random Access Memory is used to store data and
instructions during the execution of programs. Contrary to ROM, RAM is temporary
and is erased when the computer is switched off. RAM is a read/ write type of
memory and thus can be read and written by the user. As it is possible to randomly
use any location of this memory, it is known as random access memory. The
memory capacity of RAM varies from 640 KB to several mega bytes with different
models of computer.
Hardware and software are two broad categories of computer components.
Hardware refers to physical component while software to the programs required to
operate computers.

Data Storage Devices

Alternatively referred to as digital storage, storage, storage media, or storage

medium, a storage device is any hardware capable of holding information either
temporarily or permanently.
There are two types of storage devices used with computers: a primary storage
device, such as RAM, and a secondary storage device, like a hard drive. Secondary
storage can be removable, internal, external or network storage. Some examples of
data storage devices are discussed as below:

Magnetic storage devices

Today, magnetic storage is one of the most common types of storage used with
computers and is the technology that many computer hard drives use. Examples
are Floppy diskette, Hard drive,Magnetic strip, SuperDisk, Tape cassette and Zip
diskette.

Optical storage devices

Another common storage is optical storage, which uses lasers and lights as its
method of reading and writing data. Examples are Blu-ray disc, CD-ROM disc, CD-
R and CD-RW disc, DVD-R,DVD+R, DVD-RW and DVD+RW disc.

Flash memory devices

Flash memory has started to replace magnetic media as it becomes cheaper as it is

the more efficient and reliable solution. e.g., Jump drive or flash drive, Memory card,
Memory stick, and SSD (Solid State Drive).
Online and cloud

Storing data online and in cloud storage is becoming popular as people need to
access their data from more than one device. Examples are Cloud storage and
Network media such as NAS (Network Attached Storage) & SAN (Storage Area
Network).

Paper storage
Early computers had no method of using any of the above technologies for storing
information and had to rely on paper. Today, these forms of storage are rarely used
or found. In the picture to the right is an example of a woman entering data to a
punch card using a punch card machine. Examples are OMR and Punch Card.

Most of the storage device examples mentioned are no longer used with today's
computers which primarily use a hard disk drive or SSD to store information and
have the options for USB flash drives and access to cloud storage. Desktop
computers with disc drives typically use a disc drive that is capable of reading CD's
and DVD's and writing CD-R and other recordable discs.

For most computers, the largest storage device is the hard drive or SSD. However,
networked computers may also have access to even larger storage with large tape
drives, cloudcomputing, NAS or SAN storage devices. Below is a list of storage
devices from the smallest capacity to the largest capacity.

Introduction to Software

COMPUTER SOFTWARE-MEANING AND TYPES

Software could be considered as the language of a computer. It is the combination

of programmes/commands used by products containing processors. That is,
software is a set of programmes/commands designed to perform a well-defined task.
You have already learnt about the components of a computer, whether it is
desktop/laptop/palmtop; which has both hardware and software. The tangible part is
the hardware and the instructions that can make the processors to work is the
software. As we know computers do not think for themselves, so they need software,
which is made to manipulate its hardware in such a way that you, the user, can
understand. In short, Software is the set of instructions that tell a computer what it
needs to do or the non-physical part of a computer; programs and documentation
that play a part in a computer system’s operation. JAVA, C++, Microsoft Office, Open
Office etc. are examples for computer software.

Software can be classified into different types such as system software,

application software, proprietary software, open software,
shareware and freeware, which will be discussed in the following sections.

System Software

Now, we know that software is the language in which the user can interact with the
computer. The basic interaction of the user with the computer is through input
devices (you have already learnt different input devices in earlier chapter). For
example if you use a key board to input, there are only some key strokes going into
the computer, with which we would like to get the task done. This is possible when
there is an interface which converts our inputs to be meaningful to the system,
which is called system software. System software is a collection of programmes
or commands designed to operate, control, and extend the processing capabilities
of the computer. Examples of system software are Operating system,
Compilers, Interpreter, and Assemblers.

One needs to have a thorough knowledge about the grammar which the system
can understand. The syntax and semantics are very important. The system software
is found to be bit tough and complex for a common man and is dealt with by
technically qualified persons.

Systems software are further subdivided into operating systems and utilities. The
operating system is the program that actually makes the computer operates.
Utilities are programs which either improves the functioning of the operating system
or supply missing or additional functionality.
An Operating System (OS) is system software that manages computer hardware
and software resources and provides common services for computer programs. The
operating system is a component of the system software in a computer system.
Application programs usually require an operating system for them to function.
Examples include: Microsoft Windows (XP, Vista, or 7), any flavor of Linux, and Mac
OS X (An apple version of UNIX).

The following is a list of some of the functions of the operating system:

• boot-up the computer
• control the hard drives: this includes such features as formatting as well as
saving files to and retrieving files from disk
• control the input/output ports
• control input devices such as keyboard, mouse and scanner
• control output devices such as the video display and printer
• provide the functionality for computers to be linked in a network
• provide the foundation for application software to be launched
• enable application software to access and use the hardware

A compiler is a computer program (or a set of programs) that transforms source

code written in a programming language (the source language) into another
computer language (the target language), with the latter often having a binary form
known as object code.

An interpreter is a computer program that directly executes, i.e. performs,

instructions written in a programming or scripting language, without previously
compiling them into a machine language program.

An assembler is a program that takes basic computer instructions and converts

them into a pattern of bits that the computer's processor can use to perform its
basic operations. Some people call these instructions assembler language and
others use the term assembly language.

Utilities are programs that manage, repair, and optimize data on a computer. A basic
set of utilities is provided with every OS.
Application Software

Application Software is designed to run a particular application such as word

processing, presentation, drawing, communicating etc. It may be single software or
a combination in order to perform a particular application. Examples include payroll
software, reservation software, Microsoft Word, Libre Office Writer etc. Ease of use,
ease in manipulating and interactivity are some of the benefits of such software.

Application software does the specific things you want the computer to do, whereas
the Operating System gives general instructions to the computer for controlling the
hardware.

Table below gives the list of different type application software, brand and functions:
Application Brand Name Function
Word Open Office.org writer Create, store, format and edit documents, letters and
Processor articles. Word processors are used where the
Libre Office writer emphasis is on manipulation of text.

Microsoft Word
Spreadsheet Open Office.org Calc Create financial statements, balance sheets, perform
statistical and numerical analysis of data and make
Libre office Calc forecasts based on numeric data. Spreadsheets are
Microsoft Excel used where the emphasis is on arithmetic.

Presentation Open Office.org Create slide show, lecture, seminar

and other types of presentation.
Libre Office Impress
 Microsoft PowerPoint
Data Base Sybase Store and convert data into information. Databases
are particularly useful in working with large quantities
MySQL of data.

Microsoft ACCESS
Web Browser Mozilla Surf the Internet and view web sites.

Chrome

Netscape

Internet Explorer
Desktop Page Maker DTP is similar to word processing except that there is
Publishing more emphasis on page layout and the integration of
(DTP) Microsoft Publisher diagrams.
Graphics and Adobe Photoshop Create and manipulate graphics images and store
Imaging images in a variety of formats.
GIMP
Proprietary Software

Pro

prietary software is software that is owned by an individual or a company (usually

the one that
developed it). There are almost always major restrictions on its use, and its source
code is almost
always kept secret (source code is the version of the software as it is originally
written by a developer in a plain text, readable in plane or alphanumeric
characters). Sometimes these are called ‘closed code software’ which means, the
source code is not for open access. Most software is covered by copyright which,
along with contract law, patents, and trade secrets, provides legal basis for its
owner to establish exclusive rights.
The owner of proprietary software exercises certain exclusive rights over the
software. The owner can restrict use, inspection of source code, modification of
source code, and redistribution. Proprietary software may also have licensing terms
that limit the usage of that software to a specific set of hardware. Apple has such a
licensing model for Mac OS X, an operating system which is limited to Apple
hardware, both by licensing and various design decisions. Examples of proprietary
software include Microsoft Windows, Adobe Flash Player, PS3 OS, iTunes, Adobe
Photoshop, Google Earth, Mac OS X, Skype, WinRAR, Oracle's version of Java
and some versions of UNIX.

Open Source Software

The term "open source" refers to something that can be modified and shared
because its design is publicly accessible. Open source software is software whose
source code is available for modification or enhancement by anyone. Open source
software is different. Its authors make its source code available to others who would
like to view that code, copy it, learn from it, alter it, or share it. Libre Office and the
GNU Image Manipulation Program are examples of open source software. As they
do with proprietary software, users must accept the terms of a license when they
use open source software—but the legal terms of open source licenses differ
dramatically from those of proprietary licenses. Open source software licenses
promote collaboration and sharing because they allow other people to make
modifications to source code and incorporate those changes into their own projects.
Some open source licenses ensure that anyone who alters and then shares a
program with others must also share that program's source code without charging a
licensing fee for it.
LANGUAGES OF COMPUTER

A language is defined as the medium of expression of thoughts . All the human

beings in this world communicate with each other by a language. Similarly,
computer also needs some expression medium to communicate with others
A computer follows the instructions given by the programmer to perform a specific
job. To perform a particular task, programmer prepares a sequence of instructions,
know as programmed. A program written for a computer is known as Software. The
programmed is stored in RAM. The CPU takes one instruction of the programmed
at a time from RAM and executes it. The instructions are executed one by one in
sequence and finally produce the desired result.
The Journey of computer software machine language to high level languages to
modern 4GL / 5GL languages is an interesting one. Let us talk about this in detail.
FIRST GENERATION LANGUAGES 1GLs (Machine language)
When the human being stared programming the computer the instruction were
given to it in a language that it could easily understand. And that language was
machine language. The binary language a language, a language of Is and Os is
known as Machine language. Any instruction in this language is given in the form of
string of 1s and 0s. Where the symbol I stand for the presence of electrical pulse
and 0 stands for the absence of electric pulse. A set of 1s and 0s as 11101101 has a
specific meaning to a computer even through it appears as binary number to us.
The writing of programmer in machine language is very cumbersome and
complicated and this was accomplished by experts only. All the instructions and
input data are fed to the computer in numeric form, specifically a binary form.
SECOND GENERATION LANGUAGES 2GLs (Assembly Language)
Lots of efforts are made during last 50 years to obviate the difficulties faced for
using the machine language. The first language similar to English was developed in
1950 which was known as Assembly Language or Symbolic Programming
Languages. After 1960, the High Level Languages were developed which bought
the common man very to the computer. And this was the main reason for
tremendous growth in computer industry. The high level languages are also known
as Procedure Oriented Languages.
THIRD GENERATION LANGUAGES (3GLs ) (High Level Languages)
The assembly language was easier to use compared with machine la language as it
relieved the programmer from a burden of remembering the operation – codes and
addresses of memory location. Even though the assembly languages proved to be
great help to the programmer, a search was continued for still better languages
nearer to the conventional English language. The languages developed which were
nearer to the English language, for the use of writing the programmer in 1960 were
known as High Level languages.
The different high level languages which can be used by the common user are
FORTRAN, COBOL, BASIC, PASCAL, PL-1 and many others. Each high level
language was developed to fulfill some basic requirements for particular type of
problems. But further developments are made in each language to widen its utility
for different purposes.
FOURTH GENERATION LANGUAGES (4GLs)
The 3GLs are procedural in nature i.e., HOW of the problem get coded i.e., the
procedures require the knowledge of how the problem will be solved . Contrary to
them, 4GLs are non procedural. That is only WHAT of the problem is coded i.e.,
only ‘What is required’ is to be specified and rest gets done on its own.
Thus a big program of a 3GLs may get replaced by a single statement of a 4GLs.
The main aim of 4GLs is to be cut down on developed and maintenance time and
making it easier for users.
GUI BASED LANGUAGES
With the invention and popularity of GUI based interfaces. GUI based languages
include:

1. TCL/Tk
2. Visual basic
3. Visual C++
4. C# (Pronounced as C sharp)
5. Visual basic.NET
6. Visual basic 2005

DBMS vs Relational DBMS

Relational software uses the concept of database normalization and the constraints
of primary and foreign keys to establish relationships between rows of data in
different database tables. That eliminates the need to redundantly store related data
in multiple tables, which reduces data storage requirements, streamlines database
maintenance and enables faster querying of databases. Normalization is a concept
that applies to relational databases only.

Another notable difference between DBMS and RDBMS architectures, leaving the
latter category out of the broad DBMS classification, is relational technology's
support for referential integrity and other integrity checks designed to help keep
data accurate and prevent inconsistent information from being entered in database
tables. That's part of an adherence to the ACID properties -- atomicity, consistency,
isolation and durability -- for ensuring that database transactions are processed in a
reliable way. That isn't necessarily the case with other DBMS types -- for example,
many NoSQL databases guarantee a more limited form of ACID compliance, called
eventual consistency.

While these RDBMS concepts and features provide reliable, stable and relatively
robust processing of structured transaction data, relational technology does have
some limitations -- in particular, its requirement that databases include a rigid
schema that's difficult for DBAs to modify on the fly. That has helped create an
opening for NoSQL software and, to a greater extent, file-based Hadoopclusters in
big data environments, although relational databases are still at the center of most
IT architectures.

ACID properties (Atomicity, Consistency, Isolation & Durability)

Atomicity: Atomicity requires that each transaction be "all or nothing": if one part of
thetransaction fails, then the entire transaction fails, and the database state is left
unchanged. An atomic system must guarantee atomicity in each and every situation,
including power failures, errors and crashes. To the outside world, a committed
transaction appears (by its effects on the database) to be indivisible ("atomic"), and
an aborted transaction does not happen.

Consistency: The consistency property ensures that any transaction will bring the
database fromone valid state to another. Any data written to the database must be
valid according to all defined rules including constraints, cascades, triggers, and any
combination thereof. This does not guarantee correctness of the transaction in all
ways the application programmer might have wanted
(that is the responsibility of application-level code), but merely that any
programming errors cannot result in the violation of any defined rules.

Isolation: The isolation property ensures that the concurrent execution of

transactions results in asystem state that would be obtained if transactions were
executed sequentially, i.e., one after the other. Providing isolation is the main goal of
concurrency control. Depending on the concurrency control method (i.e., if it uses
strict - as opposed to relaxed - serializability), the effects of an incomplete
transaction might not even be visible to another transaction.

Durability: The durability property ensures that once a transaction has been
committed, it willremain so, even in the event of power loss, crashes, or errors. In a
relational database, for instance, once a group of SQL statements execute, the
results need to be stored permanently (even if the database crashes immediately
thereafter). To defend against power loss, transactions (or their effects) must be
recorded in a non-volatile memory.

Database management system (DBMS)

A database management system (DBMS) is system software for creating and

managing databases. The DBMS provides users and programmers with a
systematic way to create, retrieve, update and manage data.
A DBMS makes it possible for end users to create, read, update and delete data in

a database. The DBMS essentially serves as an interface between the database

and end users or application programs, ensuring that data is consistently organized

and remains easily accessible.

The DBMS manages three important things: the data, the database engine that

allows data to be accessed, locked and modified -- and the database schema,

which defines the database’s logical structure. These three foundational elements

help provide concurrency, security, data integrity and uniform administration

procedures. Typical database administration tasks supported by the DBMS include

change management, performance monitoring/tuning and backup and recovery.

Many database management systems are also responsible for automated rollbacks,

restarts and recovery as well as the logging and auditing of activity.

The DBMS is perhaps most useful for providing a centralized view of data that can

be accessed by multiple users, from multiple locations, in a controlled manner. A

DBMS can limit what data the end user sees, as well as how that end user can view

the data, providing many views of a single database schema. End users and

software programs are free from having to understand where the data is physically

located or on what type of storage media it resides because the DBMS handles all

requests.

The DBMS can offer both logical and physical data independence. That means it

can protect users and applications from needing to know where data is stored or

having to be concerned about changes to the physical structure of data (storage

and hardware). As long as programs use the application programming interface

(API) for the database that is provided by the DBMS, developers won't have to

modify programs just because changes have been made to the database.

With relational DBMSs (RDBMSs), this API is SQL, a standard programming

language for defining, protecting and accessing data in a RDBMS.

Popular types of DBMSes

Popular database models and their management systems include:

Relational database management system (RDMS) - adaptable to most use cases,

but RDBMS Tier1 products can be quite expensive.

NoSQL DBMS - well-suited for loosely defined data structures that may evolve over
time.

In-memory database management system (IMDBMS) - provides faster response

times and better performance.

Columnar database management system (CDBMS) - well-suited for data

warehouses that have a large number of similar data items.

Cloud-based data management system - the cloud service provider is responsible

for providing and maintaining the DBMS.

Advantages of a DBMS
Using a DBMS to store and manage data comes with advantages, but also

overhead. One of the biggest advantages of using a DBMS is that it lets end users

and application programmers access and use the same data while managing data

integrity. Data is better protected and maintained when it can be shared using a

DBMS instead of creating new iterations of the same data stored in new files for

every new application. The DBMS provides a central store of data that can be

accessed by multiple users in a controlled manner.

Central storage and management of data within the DBMS provides:

• Data abstraction and independence

• Data security

• A locking mechanism for concurrent access

• An efficient handler to balance the needs of multiple applications using the

same data

• The ability to swiftly recover from crashes and errors, including restartability
and recoverability

• Robust data integrity capabilities

• Logging and auditing of activity

• Simple access using a standard application programming interface (API)

• Uniform administration procedures for data

Another advantage of a DBMS is that it can be used to impose a logical, structured

organization on the data. A DBMS delivers economy of scale for processing large

amounts of data because it is optimized for such operations.

A DBMS can also provide many views of a single database schema. A view defines

what data the user sees and how that user sees the data. The DBMS provides a

level of abstraction between the conceptual schema that defines the logical

structure of the database and the physical schema that describes the files, indexes

and other physical mechanisms used by the database. When a DBMS is used,

systems can be modified much more easily when business requirements change.

New categories of data can be added to the database without disrupting the existing

system and applications can be insulated from how data is structured and stored.

Of course, a DBMS must perform additional work to provide these advantages,

thereby bringing with it the overhead. A DBMS will use more memory and CPU than

a simple file storage system. And, of course, different types of DBMSes will require

different types and levels of system resources.

RDBMS (Relational database management system)

A relational database management system (RDBMS) is a collection of programs

and capabilities that enable IT teams and others to create, update, administer and

otherwise interact with a relational database. Most commercial RDBMSes use

Structured Query Language (SQL) to access the database, although SQL was

invented after the initial development of the relational model and is not necessary

for its use.

RDBMS vs. DBMS

In general, databases store sets of data that can be queried for use in other

applications. A database management system supports the development,

administration and use of database platforms.

An RDBMS is a type of DBMS with a row-based table structure that connects

related data elements and includes functions that maintain the security, accuracy,

integrity and consistency of the data.

Functions of relational database management systems

Elements of the relational database management system that overarch the basic

relational database are so intrinsic to operations that it is hard to dissociate the two

in practice.

The most basic RDBMS functions are related to create, read, update and delete

operations, collectively known as CRUD. They form the foundation of a well-

organized system that promotes consistent treatment of data.

The RDBMS typically provides data dictionaries and metadata collections useful in

data handling. These programmatically support well-defined data structures and

relationships. Data storage management is a common capability of the RDBMS,

and this has come to be defined by data objects that range from binary large object

(blob) strings to stored procedures. Data objects like this extend the scope of basic

relational database operations and can be handled in a variety of ways in different

RDBMSes.
The most common means of data access for the RDBMS is via SQL. Its main

language components comprise data manipulation language (DML) and data

definition language (DDL) statements. Extensions are available for development

efforts that pair SQL use with common programming languages, such as COBOL

(Common Business-Oriented Language), Java and .NET.

RDBMSes use complex algorithms that support multiple concurrent user access to

the database, while maintaining data integrity. Security management, which

enforces policy-based access, is yet another overlay service that the RDBMS

provides for the basic database as it is used in enterprise settings.

RDBMSes support the work of database administrators (DBAs) who must manage

and monitor database activity. Utilities help automate data loading and database

backup. RDBMSes manage log files that track system performance based on

selected operational parameters. This enables measurement of database usage,

capacity and performance, particularly query performance.

RDBMSes provide graphical interfaces that help DBAs visualize database activity.

While not limited solely to the RDBMS, ACID compliance is an attribute of relational

technology that has proved important in enterprise computing. Standing

for atomicity,consistency, isolation and durability, these capabilities have

particularly suited RDBMSes for handling business transactions.

Relational database management systems are central to key applications, such as

banking ledgers, travel reservation systems and online retailing. As RDBMSes have
matured, they have achieved increasingly higher levels of query optimization, and
they have become key parts of reporting, analytics and data warehousing
applications for businesses as well. RDBMSes are intrinsic to operations of a
variety of enterprise applications and are at the center of most master data
management (MDM) systems
 NORMALIZATION OF A DATABASE

Normalization is a process of organizing the data in database to avoid data

redundancy, insertion anomaly, update anomaly & deletion anomaly. Normalization
divides larger tables to smaller tables and link them using relationships.

Let’s discuss anomalies first then we will discuss normal forms with examples.

Anomalies in DBMS

There are three types of anomalies that occur when the database is not normalized.
These are – Insertion, update and deletion anomaly. Let’s take an example to
understand this.

Example: Suppose a manufacturing company stores the employee detailsin a table

named

employee that has four attributes: emp_id for storing employee’s id, emp_name for
storing employee’s name, emp_address for storing employee’s address and
emp_dept for storing the department details in which the employee works. At some
point of time the table looks like this:

emp_i emp_na emp_addre emp_de

d me ss pt
101 Krish Delhi D001

101 Krish Delhi D002

123 Malini Agra D890

166 Navin Chennai D900

166 Navin Chennai D004

The above table is not normalized. We will see the problems that we face when a
table is not normalized.
Update anomaly: In the above table we have two rows for employee Krish as he

belongs to twodepartments of the company. If we want to update the address of

Krish then we have to update the same in two rows or the data will become

inconsistent. If somehow, the correct address gets updated in one department but

not in other then as per the database, Krish would be having two different

addresses, which is not correct and would lead to inconsistent data.

Insert anomaly: Suppose a new employee joins the company, who is under training
and currentlynot assigned to any department then we would not be able to insert the
data into the table if emp_dept field doesn’t allow nulls.

Delete anomaly: Suppose, if at a point of time the company closes the department
D890 thendeleting the rows that are having emp_dept as D890 would also delete
the information of employee Malini since she is assigned only to this department.

To overcome these anomalies we need to normalize the data. In the next section
we will discuss normalization.

Normalization

The inventor of the relational model Edgar Codd proposed the theory of
normalization with the introduction of First Normal Form and he continued to extend
theory with Second and Third Normal Form. Later he joined with Raymond F. Boyce
to develop the theory of Boyce-Codd Normal Form (BCNF).
Theory of Data Normalization in SQL is still being developed further. For example
there are discussions even on 6th Normal Form. But in most practical applications
normalizationachieves its best in 3rd Normal Form (3NF). The evolution of
Normalization theories isillustrated below-

We need to understand the basic concepts of primary key, foreign key, candidate
key and super key in a relational database, before we proceed further to understand
the evolution of normal forms.

Super, Candidate, Primary & Foreign keys

A Super Key is the combination of fields by which the row is uniquely identified and
the Candidate Key is the minimal Super Key. Basically, a Candidate Key is a Super
Key from which no more Attribute can be pruned. A Super Key identifies uniquely
rows/tuples in a table/relation of a database.
A Primary Key uniquely identify a record in the table. A Foreign Key is a field in the
table that is Primary Key in another table. By default, Primary Key is clustered index
and data in the database table is physically organized in the sequence of clustered
index. We can have only one Primary Key in a table.

As discussed above, a Candidate Key can be any column or a combination of

columns that can qualify as unique key in a database. There can be multiple
Candidate Keys in one table. On the other hand, a Primary Key is a column or a
combination of columns that uniquely identify a record. Thus each Candidate Key
can qualify as Primary Key. However, as there may be multiple Candidate Keys in a
table, a Primary Key can be only one for a given table.
The above terms are freely used in the following discussion on normal
forms. You may notice that as the normalization process upgrades
from 1NF to 2NF and then to 3NF and so on, the number of tables and
reference keys keep increasing.

Software Development Life Cycle (SDLC)

The software development life cycle (SDLC) is a framework defining tasks

performed at each step in the software development process. SDLC is a structure
followed by a development team within the software organization. It consists of a
detailed plan describing how to develop, maintain and replace specific software.
The life cycle defines a methodology for improving the quality of software and the
overall development process.
The software development life cycle is also known as the software development
process.

SDLC consists of following activities:

1. Planning: The most important parts of software development, requirement

gathering or requirement analysis are usually done by the most skilled and
experienced software engineers in the organization. After the requirements
are gathered from the client, a scope document is created in which the scope
of the project is determined and documented.
2. Implementation: The software engineers start writing the code according to
the client's requirements.
3. Testing: This is the process of finding defects or bugs in the created software.
4. Documentation: Every step in the project is documented for future reference
and for the improvement of the software in the development process. The
design documentation may include writing the application programming
interface (API).
 5. Deployment and maintenance: The software is deployed after it has been
approved for release.
6. Maintaining: Software maintenance is done for future reference. Software
improvement and new requirements (change requests) can take longer than
the time needed to create the initial development of the software.

There are several software development models followed by various organizations:

•Waterfall Model: This model involves finishing each phase completely before
commencing the next one. When each phase is completed successfully, it is
reviewed to see if the project is on track and whether it is feasible to
continue.
• V-Shaped Model: This model focuses on the execution of processes in a
sequential manner, similar to the waterfall model but with more importance
placed on testing. Testing procedures are written even before the
commencement of writing code. A system plan is generated before starting
the development phase.
• Incremental Model: This life cycle model involves multiple development
cycles. The cycles are divided up into smaller iterations. These iterations can
be easily managed and go through a set of phases including requirements,
design, implementation and testing. A working version of the software is
produced during the first iteration, so working software is created early in the
development process.
Computer Network

A computer network is a group of computer systems and other computing hardware

devices that are linked together through communication channels to facilitate
communication and resource-sharing among a wide range of users. Networks are
commonly categorized based on their characteristics.

One of the earliest examples of a computer network was a network of

communicating computers that functioned as part of the U.S. military's Semi-
Automatic Ground Environment (SAGE) radar system. In
1969, the University of California at Los Angeles, the Stanford Research Institute,
the University of
California at Santa Barbara and the University of Utah were connected as part of
the Advanced Research Projects Agency Network (ARPANET) project. It is this
network that evolved to become what we now call the internet.
Networks are used to:

• Facilitate communication via email, video conferencing, instant

messaging, etc.
 • Enable multiple users to share a single hardware device like a printer or
scanner
• Enable file sharing across the network
• Allow for the sharing of software or operating programs on remote
systems
• Make information easier to access and maintain among network users

There are many types of networks, including:

• Local Area Networks (LAN)

• Personal Area Networks (PAN)
• Home Area Networks (HAN)
• Wide Area Networks (WAN)
• Campus Networks
• Metropolitan Area Networks (MAN)
• Enterprise Private Networks  Internetworks
• Backbone Networks (BBN)
• Global Area Networks (GAN)
• The Internet

Networking Systems

Data communication refers to the exchange of data between a source and a

receiver via form of transmission media such as a wire cable. Data communication
is said to be local if communicating devices are in the same building or a similarly
restricted geographical area.
The meanings of source and receiver are very simple. The device that transmits the
data is known as source and the device that receives the transmitted data is known
as receiver. Data communication aims at the transfer of data and maintenance of
the data during the process but not the actual generation of the information at the
source and receiver.
Datum mean the facts information statistics or the like derived by calculation or
experimentation. The facts and information so gathered are processed in
accordance with defined systems of procedure. Data can exist in a variety of forms
such as numbers, text, bits and bytes. The Figure is an illustration of a simple data
communication system.
The term data used to describe information, under whatever form of words you will
be using.
A data communication system may collect data from remote locations through data
transmission circuits, and then outputs processed results to remote locations.
Figure provides a broader view of data communication networks. The different data
communication techniques which are presently in widespread use evolved gradually
either to improve the data communication techniques already existing or to replace
the same with better options and features. Then, there are data communication
jargons to contend with such as baud rate, modems, routers, LAN, WAN, TCP/IP,
ISDN, during the selection of communication systems. Hence, it becomes
necessary to review and understand these terms and gradual development of data
communication methods
Components of data communication system
A Communication system has following components:
1. Message: It is the information or data to be communicated. It can consist of text,
numbers, pictures, sound or video or any combination of these.
2. Sender: It is the device/computer that generates and sends that message.
3. Receiver: It is the device or computer that receives the message. The location of
receiver computer is generally different from the sender computer. The distance
between sender and receiver depends upon the types of network used in between.
4. Medium: It is the channel or physical path through which the message is carried
from sender to the receiver. The medium can be wired like twisted pair wire, coaxial
cable, fiber-optic cable or wireless like laser, radio waves, and microwaves.
5. Protocol: It is a set of rules that govern the communication between the devices.
Both sender and receiver follow same protocols to communicate with each other.
A protocol performs the following functions:
1. Data sequencing. It refers to breaking a long message into smaller packets of
fixed size. Data sequencing rules define the method of numbering packets to detect
loss or duplication of packets, and to correctly identify packets, which belong to
same message.
2. Data routing. Data routing defines the most efficient path between the source
and destination.
3. Data formatting. Data formatting rules define which group of bits or characters
within packet constitute data, control, addressing, or other information.
4. Flow control. A communication protocol also prevents a fast sender from
overwhelming a slow receiver. It ensures resource sharing and protection against
traffic congestion by regulating the flow of data on communication lines.
5. Error control. These rules are designed to detect errors in messages and to
ensure transmission of correct messages. The most common method is to
retransmit erroneous message block. In such a case, a block having error is
discarded by the receiver and is retransmitted by the sender.
6. Precedence and order of transmission. These rules ensure that all the nodes get
a chance to use the communication lines and other resources of the network based
on the priorities assigned to them.
7. Connection establishment and termination. These rules define how connections
are established, maintained and terminated when two nodes of a network want to
communicate with each other.
8. Data security. Providing data security and privacy is also built into most
communication software packages. It prevents access of data by unauthorized
users.
9. Log information. Several communication software are designed to develop log
information, which consists of all jobs and data communications tasks that have
taken place. Such information may be used for charging the users of the network
based on their usage of the network resources.
The effectiveness depends on four fundamental characteristics of data
communications
1. Delivery: The data must be deliver in correct order with correct
destination.
2. Accuracy: The data must be deliver accurately.
3. Timeliness: The data must be deliverin a timely
manner.late delivered Data useless.
4. Jitter: It is the uneven delay in the packet arrival time that cause
uneven quality.
Network

A network consists of two or more computers that are linked in order to share
resources (such as printers and CDs), exchange files, or allow electronic
communications. The computers on a network may be linked through cables,
telephone lines, radio waves, satellites, or infrared light beams.

Two very common types of networks include:

• Local Area Network (LAN)

• Wide Area Network (WAN)

You may also see references to a Metropolitan Area Networks (MAN), a Wireless
LAN (WLAN), or a Wireless WAN (WWAN).

Local Area Network

A Local Area Network (LAN) is a network that is confined to a relatively small area.
It is generally limited to a geographic area such as a writing lab, school, or building.

Computers connected to a network are broadly categorized as servers or

workstations. Servers are generally not used by humans directly, but rather run
continuously to provide "services" to the other computers (and their human users)
on the network. Services provided can include printing and faxing, software hosting,
file storage and sharing, messaging, data storage and retrieval, complete access
control (security) for the network's resources, and many others.

Workstations are called such because they typically do have a human user which
interacts with the network through them. Workstations were traditionally considered
a desktop, consisting of a computer, keyboard, display, and mouse, or a laptop, with
with integrated keyboard, display, and touchpad. With the advent of the tablet
computer, and the touch screen devices such as iPad and iPhone, our definition of
workstation is quickly evolving to include those devices, because of their ability to
interact with the network and utilize network services.

Servers tend to be more powerful than workstations, although configurations are

guided by needs. For example, a group of servers might be located in a secure area,
away from humans, and only accessed through the network. In such cases, it would
be common for the servers to operate without a dedicated display or keyboard.
However, the size and speed of the server's processor(s), hard drive, and main
memory might add dramatically to the cost of the system. On the other hand, a
workstation might not need as much storage or working memory, but might require
an expensive display to accommodate the needs of its user. Every computer on a
network should be appropriately configured for its use.

On a single LAN, computers and servers may be connected by cables or wirelessly.

Wireless access to a wired network is made possible by wireless access points
(WAPs). These WAP devices provide a bridge between computers and networks. A
typical WAP might have the theoretical capacity to connect hundreds or even
thousands of wireless users to a network, although practical capacity might be far
less.

Nearly always servers will be connected by cables to the network, because the
cable connections remain the fastest. Workstations which are stationary (desktops)
are also usually connected by a cable to the network, although the cost of wireless
adapters has dropped to the point that, when installing workstations in an existing
facility with inadequate wiring, it can be easier and less expensive to use wireless
for a desktop.

See the Topology, Cabling, and Hardware sections of this tutorial for more
information on the configuration of a LAN.
Wide Area Network

Wide Area Networks (WANs) connect networks in larger geographic areas.

Dedicated transoceanic cabling or satellite uplinks may be used to connect this type
of global network.
A WAN or Wide Area Network is a group of widely dispersed computers that are
connected together. These could be across the same town or across a country or
even across the world. Apart from distance, the other feature that distinguishes a
WAN from a LAN is that the WAN would make use of a range of communication
technologies such as telephone, microwave and satellite links.Much of the problems
faced by LAN connections can be solved by WAN. Most WANs are made from
several LANs connected together.

Types of Network Connections

Computer networks can be broken down historically into topologies, which is a
technique of connecting computers. The most common topology today is a
collapsed ring. This is due to the success of a network protocol called the Ethernet.
This protocol, or network language, supports the Internet, Local Area Networks, and
Wide Area Networks.

Star Topology
A star topology is a design of a network where a central node extends a cable to
each computer on the network. On a star network, computers are connected
independently to the center of the network. If a cable is broken, the other computers
can operate without problems. A star topology requires a lot of cabling.

Bus Topology
A bus topology is another type of design where a single cable connects all
computers and the information intended for the last node on the network must run
through each connected computer. If a cable is broken, all computers connected
down the line cannot reach the network. The benefit of a bus topology is a minimal
use of cabling.

Ring Topology
A similar topology is called a ring. In this design, computers are connected via a
single cable, but the end nodes also are connected to each other. In this design, the
signal circulates through the network until it finds the intended recipient. If a network
node is not configured properly, or it is down temporarily for another reason, the
signal will make a number of attempts to find its destination.
A collapsed ring is a topology where the central node is a network device called a
hub, a router, or a switch. This device runs a ring topology internally and features
plugins for cables. Next, each computer has an independent cable, which plugs into
the device. Most modern offices have a cabling closet, or a space containing a
switch device that connects the network. All computers in the office connect to the
cabling closet and the switch. Even if a network plug is near a desk, the plug is
connected via a cable to the cabling closet.

Network Controls

Network security is an over-arching term that describes that the policies and
procedures implemented by a network administrator to avoid and keep track of
unauthorized access, exploitation, modification, or denial of the network and
network resources.
This means that a well-implemented network security blocks viruses, malware,
hackers, etc. from accessing or altering secure information.
The first layer of network security is enforced through a username/password
mechanism, which only allows access to authenticated users with customized
privileges. When a user is authenticated and granted specific system access, the
configured firewall enforces network policies, that is, accessible user services.
However, firewalls do not always detect and stop viruses or harmful malware, which
may lead to data loss. An anti-virus software or an intrusion prevention system (IPS)
is implemented to prevent the virus and/or harmful malware from entering the
network.
Network security is sometimes confused with information security, which has a
different scope and relates to data integrity of all forms, print or electronic

Some of the most commonly usednetwork devices are

Modem
A modem is a network device that both modulates and demodulates analog carrier
signals (called sine waves) for encoding and decoding digital information for
processing. Modems accomplish both of these tasks simultaneously and, for this
reason, the term modem is a combination of "modulate" and "demodulate."

Repeater
A repeater is a network device that retransmits a received signal with more power
and to an extended geographical or topological network boundary than what would
be capable with the original signal.

Switch

A switch, in the context of networking is a high-speed device that receives incoming

data packets and redirects them to their destination on a local area network (LAN).
A LAN switch operates at the data link layer (Layer 2) or the network layer of the
OSI Model and, as such it can support all types of packet protocols.

Hub
A hub, also called a network hub, is a common connection point for devices in a
network. Hubs are devices commonly used to connect segments of a LAN. The
hub contains multiple ports. When a packetarrives at one port, it is copied to the
other ports so that all segments of the LAN can see all packets

Gateway
In computer networking and telecommunications, a gateway is a component
that is part of two networks, which use different protocols. The gateway will
translate one protocol into the other. A router is a special case of a gateway.
Gateways, also called protocol converters, can operate at any network layer. The
activities of a gateway are more complex than that of the router or switch as it
communicates using more than one protocol.
Both the computers of internet users and the computers that serve pages to users
are host nodes. The nodes that connect the networks in between are
gateways. These are gateway nodes:

• the computers that control traffic between company networks

• the computers used by internet service providers (ISPs) to connect users to
the internet 
Computer Network | Layers of OSI Model
OSI stands for Open Systems Interconnection. It has been developed by ISO –
‘International Organization of Standardization‘, in the year 1974. It is a 7 layer
architecture with each layer having specific functionality to performed. All these 7
layers work collaboratively to transmit the data from one person to another across
the globe.
1. Physical Layer (Layer 1) :
The lowest layer of the OSI reference model is the physical layer. It is responsible
for the actual physical connection between the devices. The physical layer contains
information in the form of bits.It is responsible for the actual physical connection
between the devices. When receiving data, this layer will get the signal received
and convert it into 0s and 1s and send them to the Data Link layer, which will put the
frame back together.

The functions of the physical layer are :

1. Bit synchronization: The physical layer provides the synchronization of the bits
by providing a clock. This clock controls both sender and receiver thus
providing synchronization at bit level.
 2. Bit rate control: The Physical layer also defines the transmission rate i.e. the
number of bits sent per second.
3. Physical topologies: Physical layer specifies the way in which the different,
devices/nodes are arranged in a network i.e. bus, star or mesh topolgy.
4. Transmission mode: Physical layer also defines the way in which the data
flows between the two connected devices. The various transmission modes
possible are: Simplex, half-duplex and full-duplex.
* Hub, Repeater, Modem, Cables are Physical Layer devices.
** Network Layer, Data Link Layer and Physical Layer are also known as Lower
Layers or Hardware Layers.
2. Data Link Layer (DLL) (Layer 2) :
The data link layer is responsible for the node to node delivery of the message. The
main function of this layer is to make sure data transfer is error free from one node
to another, over the physical layer. When a packet arrives in a network, it is the
responsibility of DLL to transmit it to the Host using its MAC address.
Data Link Layer is divided into two sub layers :
1. Logical Link Control (LLC)
2. Media Access Control (MAC)
Packet received from Network layer is further divided into frames depending on the
frame size of NIC(Network Interface Card). DLL also encapsulates Sender and
Receiver’s MAC address in the header.
The Receiver’s MAC address is obtained by placing an ARP(Address Resolution
Protocol) request onto the wire asking “Who has that IP address?” and the
destination host will reply with its MAC address.

The functions of the data Link layer are :

1. Framing: Framing is a function of the data link layer. It provides a way for a
sender to transmit a set of bits that are meaningful to the receiver. This can be
accomplished by attaching special bit patterns to the beginning and end of the
frame.
2. Physical addressing: After creating frames, Data link layer adds physical
addresses (MAC address) of sender and/or receiver in the header of each
frame.
3. Error control: Data link layer provides the mechanism of error control in which it
detects and retransmits damaged or lost frames.
4. Flow Control: The data rate must be constant on both sides else the data may
get corrupted thus , flow control coordinates that amount of data that can be
sent before receiving acknowledgement.
5. Access control: When a single communication channel is shared by multiple
devices, MAC sub-layer of data link layer helps to determine which device has
control over the channel at a given time.
* Packet in Data Link layer is referred as Frame.
** Data Link layer is handled by the NIC (Network Interface Card)
and device drivers of host machines. *** Switch & Bridge are Data
Link Layer devices.
3. Network Layer (Layer 3) :
Network layer works for the transmission of data from one host to the other located
in different networks. It also takes care of packet routing i.e. selection of shortest
path to transmit the packet, from the number of routes available. The sender &
receiver’s IP address are placed in the header by network layer.
The functions of the Network layer are :
1. Routing: The network layer protocols determine which route is suitable from
source to destination. This function of network layer is known as routing.
2. Logical Addressing: In order to identify each device on internetwork uniquely,
network layer defines an addressing scheme. The sender & receiver’s IP
address are placed in the header by network layer. Such an address
distinguishes each device uniquely and universally. * Segment in Network
layer is referred as Packet.

** Network layer is implemented by networking devices such as routers.

4. Transport Layer (Layer 4) :

Transport layer provides services to application layer and takes services from
network layer. The data in the transport layer is referred to as Segments. It is
responsible for the End to End delivery of the complete message. Transport layer
also provides the acknowledgement of the successful data transmission and re-
transmits the data if error is found.
• At sender’s side:
Transport layer receives the formatted data from the upper layers, performs
Segmentation and also implements Flow & Error control to ensure proper data
transmission. It also adds Source and Destination port number in its header and
forwards the segmented data to the Network Layer.
Note: The sender need to know the port number associated with the receiver’s
application.
Generally this destination port number is configured, either by default or manually.
For example, when a web application makes a request to a web server, it typically
uses port number 80, because this is the default port assigned to web applications.
Many applications have default port assigned.
• At receiver’s side:
Transport Layer reads the port number from its header and forwards the Data which
it has received to the respective application. It also performs sequencing and
reassembling of the segmented data. The functions of the transport layer are :
1. Segmentation and Reassembly: This layer accepts the message from the
(session) layer , breaks the message into smaller units . Each of the segment
 produced has a header associated with it. The transport layer at the
destination station reassembles the message.
2. Service Point Addressing: In order to deliver the message to correct process,
transport layer header includes a type of address called service point address
or port address. Thus by specifying this address, transport layer makes sure
that the message is delivered to the correct process.
The services provided by transport layer :
1. Connection Oriented Service: It is a three phase process which include
– Connection Establishment
– Data Transfer
– Termination / disconnection
In this type of transmission the receiving device sends an acknowledgment,
back to the source after a packet or group of packet is received. This type of
transmission is reliable and secure.
2. Connection less service: It is a one phase process and includes Data
Transfer. In this type of transmission the receiver does not acknowledge
receipt of a packet. This approach allows for much faster communication
between devices. Connection oriented Service is more reliable than
connection less Service.
* Data in the Transport Layer is called as Segments.
** Transport layer is operated by the Operating System. It is a part
of the OS and communicates with the Application Layer by making
system calls.
Transport Layer is called as Heart of OSI model.
5. Session Layer (Layer 5) :
This layer is responsible for establishment of connection, maintenance of sessions,
authentication and also ensures security.
The functions of the session layer are :
1. Session establishment, maintenance and termination: The layer allows the two
processes to establish, use and terminate a connection.
2. Synchronization : This layer allows a process to add checkpoints which are
considered as synchronization points into the data. These synchronization
point help to identify the error so that the data is re-synchronized properly, and
ends of the messages are not cut prematurely and data loss is avoided.
3. Dialog Controller : The session layer determines which device will
communicate first and the amount of data that will be sent.
**All the above 3 layers are integrated as a single layer in TCP/IP
model as “Application Layer”. **Implementation of above 3 layers
is done by the network application itself. These are also known as
Upper Layers or Software Layers.
SCENARIO:
Let’s consider a scenario where a user wants to send a message through some
Messenger application running in his browser. The “Messenger” here acts as the
application layer which provides the user with an interface to create the data. This
message or so called Data is compressed, encrypted (if any secure data) and
converted into bits (0’s and 1’s) so that it can be transmitted.
6. Presentation Layer (Layer 6) :
Presentation layer is also called the Translation layer.The data from the application
layer is extracted here and manipulated as per the required format to transmit over
the network.
The functions of the presentation layer are :
1. Translation : For example, ASCII to EBCDIC.
2. Encryption/ Decryption : Data encryption translates the data into another
form or code. The encrypted data is known as the cipher text and the
decrypted data is known as plain text. A key value is used for encrypting as
well as decrypting data.
3. Compression: Reduces the number of bits that need to be transmitted on the
network.

7. Application Layer (Layer 7) :

At the very top of the OSI Reference Model stack of layers, we find Application layer
which is implemented by the network applications. These applications produce the
data, which has to be transferred over the network. This layer also serves as
window for the application services to access the network and for displaying the
received information to the user.
Ex: Application – Browsers, Skype Messenger etc.
**Application Layer is also called as Desktop Layer.

The functions of the Application layer are :

1. Network Virtual Terminal
2. FTAM-File transfer access and management
3. Mail Services
4. Directory Services
OSI model acts as a reference model and is not implemented in Internet because of
its late invention. Current model being used is the TCP/IP model.
Internet Protocol Security (IPsec)

Internet protocol security (IPsec) is a set of protocols that provides security for
Internet Protocol. It can use cryptography to provide security. IPsec can be used for
the setting up of virtual private networks (VPNs) in a secure manner.
Also known as IP Security.
IPsec involves two security services:

• Authentication Header (AH): This authenticates the sender and it discovers

any changes in data during transmission.
• Encapsulating Security Payload (ESP): This not only performs authentication
for the sender but also encrypts the data being sent.

There are two modes of IPsec:

• Tunnel Mode: This will take the whole IP packet to form secure
communication between two places, or gateways.
• Transport Mode: This only encapsulates the IP payload (not the entire IP
packet as in tunnel mode) to ensure a secure channel of communication.
 Business continuity

Data Processing Methods

The carrying out of various operations on data from a software to retrieve,

transform, or classify information is what you call “data processing”.

Mostly, data processing happens on software programs where a set of inputs

produces a defined set of outputs.

There are two common types of data processing, namely Batch Processing and
Real-Time
Processing. The determination on whether to use one over the other will depend on
the following:

• The type and volume of data

• The time that the data needs to be processed and 
Which process is really suited to a certain business.
The two data processing types help businesses handle information seamlessly.
However, like most things, both have advantages and disadvantages.

• Batch Data Processing

This is an efficient way of processing high/large volumes of data where a group of
transactions is collected over a certain period of time. In batch data processing,
information is collected, entered, processed and then the batch outputs are
produced. This data process requires separate programs for input, process and
output. Examples of software programs that use this kind of data processing are
payroll and billing systems.

Advantages:
o Ideal for processing large volumes of data/transaction for it increases
efficiency rather than processing each individually.
o Can be done or processed independently during less-busy times or at
a desired designated time.
o It offers cost efficiency for the organization by carrying out the process
(data reconciliation for the master file) when needed. o It allows
good audit trail.
Disadvantages:
o The very disadvantage of batch processing is the time delay between
the collection of data (transaction receiving) and getting the result
(output in master file) after the batch process. o The Master File
(The organizations big data) is not always kept up to date. o The
One time process can be very slow.  Real-Time Processing
In contrast with batch data processing, real time data processing involves
continuous input, process and output of data. Thus, data are processed in a short
period of time. Few examples of programs that use such data processing type are
bank ATMs, customer services, radar systems, and Point of Sale (POS) Systems.
POS uses this data process to update the inventory, provide inventory history, and
sales of a particular item – allowing business to handle payments in real time.

With this kind of data process, every transaction is directly reflected to the master
file so that it will always be updated.

Advantages: o No significant
delay in response.
o Information is always up to date thus giving the organization the ability
to take immediate action when responding to an event, issue or
scenario in the shortest possible span of time.
o It could also give the organization the ability to gain insights from the
updated data to detect patterns for possible identification of either
opportunities or threats to the organization’s business.
Disadvantages: o This type of processing is more
expensive and complex.
o Real-time processing is a bit tedious and more difficult for auditing.
o Daily data backups (depends on transaction frequency) should be
implemented and necessary to ensure the retention of the most recent
data transaction.
The decision to select the best data processing system will greatly depend on the
current system in your business. So, choose the one that best suit your business
system.
: BUSINESS CONTINUITY PLANNING

Introduction

The pivotal role that banking sector plays in the economic growth and stability, both
at national and individual level, requires continuous and reliable services. Increased
contribution of 24x7 electronic banking channels has increased the demand to
formulate consolidated Business Continuity Planning (BCP) guidelines covering
critical aspects of people, process and technology.

BCP forms a part of an organisation's overall Business Continuity Management

(BCM) plan, which is the “preparedness of an organisation”, which includes policies,
standards and procedures to ensure continuity, resumption and recovery of critical
business processes, at an agreed level and limit the impact of the disaster on
people, processes and infrastructure (includes IT); or to minimise the operational,
financial, legal, reputational and other material consequences arising from such a
disaster.

Effective business continuity management typically incorporates business impact

analyses, recovery strategies and business continuity plans, as well as a
governance programme covering a testing programme, training and awareness
programme, communication and crisis management programme.

Roles, Responsibilities and Organisational structure Board of

Directors and Senior Management

A bank’s Board has the ultimate responsibility and oversight over BCP activity of a
bank. The Board approves the Business Continuity Policy of a bank. Senior
Management is responsible for overseeing the BCP process which includes:

Determining how the institution will manage and control identified risks
 Allocating knowledgeable personnel and sufficient financial resources to
implement the

BCP

Prioritizing critical business functions

Designating a BCP committee who will be responsible for the Business

Continuity Management

The top management should annually review the adequacy of the institution's
business recovery, contingency plans and the test results and put up the same
to the Board.
The top management should consider evaluating the adequacy of contingency
planning and their periodic testing by service providers whenever critical
operations are outsourced.

Ensuring that the BCP is independently reviewed and approved at least

annually;

Ensuring employees are trained and aware of their roles in the implementation
of the
BCP

Ensuring the BCP is regularly tested on an enterprise-wide basis

Reviewing the BCP testing programme and test results on a regular basis and

Ensuring the BCP is continually updated to reflect the current operating

environment
.1 BCP Head or Business Continuity Coordinator

A senior official needs to be designated as the Head of BCP activity or function.

His or her responsibilities include:

Developing of an enterprise-wide BCP and prioritisation of business objectives

and critical operations that are essential for recovery
Business continuity planning to include the recovery, resumption, and
maintenance of all aspects of the business, not just recovery of the
technology components;
Considering the integration of the institution’s role in financial markets;
 Regularly updating business continuity plans based on changes in business
processes, audit recommendations, and lessons learned from testing
Following a cyclical, process-oriented approach that includes a business impact
analysis (BIA), a risk assessment, management and monitoring and testing
Considering all factors and deciding upon declaring a “crisis”

1.2 BCP Committee or Crisis Management Team

Since electronic banking has functions spread across more than one department, it
is necessary that each department understands its role in the plan. It is also
important that each gives its support to maintain it. In case of a disaster, each has to
be prepared for a recovery process, aimed at protection of critical functions. To this
end, it would be helpful if a set up like the BCP Committee, charged with the
implementation of BCP, in an eventuality and all departments expected to fulfill their
respective roles in a coordinated manner.

Hence, a committee consisting of senior officials from

departments like HR, IT, Legal, Business and Information Security
needs to be instituted with the following broad mandate:

To exercise, maintain and to invoke business continuity plan, as needed

Communicate, train and promote awareness

Ensure that the Business Continuity Plan (BCP) fits with other plans and
requirement of concerned authorities
Budgetary issues

Ensure training and awareness on BCP to concerned teams and employees

Co-ordinating the activities of other recovery, continuity, response teams and

handling key decision-making
They determine the activation of the BCP

Other functions entail handling legal matters evolving from the disaster, and
handling public relations and media inquiries
1.3 BCP Teams

There needs to be adequate teams for various aspects of BCP at central office, as
well as individual controlling offices or at a branch level, as required. Among the
teams that can be considered based on need, are the incident response team,
emergency action and operations team, team from particular business functions,
damage assessment team, IT teams for hardware, software, network support,
supplies team, team for organizing logistics, relocation team, administrative support
team, coordination team. Illustrative guidelines for committees or teams for
BCP are provided in Annex C.

2. Critical Components of Business Continuity Management Framework

The BCP requirements enunciated in this document should be considered. The

onus lies on the Board and Senior Management for generating detailed components
of BCP in the light of an individual bank's activities, systems and processes.

2.1 BCP Methodology

Banks should consider looking at BCP methodologies and standards–BS 25999 by

BSI– which follows the “Plan-Do-Check-Act Principle”.

BCP methodology should include:

Phase 1: Business Impact Analysis

Identification of critical businesses, owned and shared resources with supporting

functions to come up with the Business Impact Analysis (BIA)
Formulating Recovery Time Objectives (RTO), based on BIA. It may also be
periodically finetuned by benchmarking against industry best practices
Critical and tough assumptions in terms of disaster, so that the framework would
be exhaustive enough to address most stressful situations
 Identification of the Recovery Point Objective (RPO), for data loss for each of the
critical systems and strategy to deal with such data loss
Alternate procedures during the time systems are not available and estimating
resource requirements

Phase 2: Risk Assessment

Structured risk assessment based on comprehensive business impact analysis.

This assessment considers all business processes and is not limited to the
information processing facilities.
Risk management by implementing appropriate strategy/ architecture to attain
the bank’s agreed RTOs and RPOs.

Impact on restoring critical business functions, including customer-facing

systems and payment and settlement systems such as cash disbursements,
ATMs, internet banking, or call centres

Dependency and risk involved in use of external resources and support

Phase 3: Determining Choices and Business Continuity Strategy

BCP should evolve beyond the information technology realm and must also
cover people, processes and infrastructure
The methodology should prove for the safety and well-being of people in the
branch / outside location at the time of the disaster.
Define response actions based on identified classes of disaster.
To arrive at the selected process resumption plan, one must consider the risk
acceptance for the bank, industry and applicable regulations

Phase 4: Developing and Implementing BCP

Action plans, i.e.: defined response actions specific to the bank’s processes ,
practical manuals( do and don’ts, specific paragraph’s customised to individual
business units) and testing procedures
 Establishing management succession and emergency powers

Compatibility and co-ordination of contingency plans at both the bank and its
service providers The recovery procedure should not compromise on the control
environment at the recovery location
Having specific contingency plans for each outsourcing arrangement based on
the degree of materiality of the outsourced activity to the bank's business
Periodic updating to absorb changes in the institution or its service providers.
Examples of situations that might necessitate updating the plans include
acquisition of new equipment, upgradation of the operational systems and
changes in:

Personnel
Addresses or telephone numbers
Business strategy
Location, facilities and resources
Legislation
Contractors, suppliers and key customers
Processes–new or withdrawn ones
Risk (operational and financial)

2.3 Key Factors to be considered for BCP Design

Following factors should be considered while designing the BCP:

Probability of unplanned events, including natural or man-made disasters,

earthquakes, fire, hurricanes or bio-chemical disaster
Security threats

Increasing infrastructure and application interdependencies

Regulatory and compliance requirements, which are growing increasingly

complex

Failure of key third party arrangements

Globalisation and the challenges of operating in multiple countries.

1.4 BCP
Consideratio
ns
Banks must consider implementing a BCP process to reduce the impact of disruption,
caused by disasters and security failures to an acceptable level through a
combination of preventive and recovery measures.

BCP should include measures to identify and reduce probability of risk to limit
the consequences of damaging incidents and enable the timely resumption
of essential operations. BCP should amongst others, consider reputation,
operational, financial, regulatory risks.

The failure of critical systems or the interruption of vital business processes

could prevent timely recovery of operations. Therefore, financial institution
management must fully understand the vulnerabilities associated with
interrelationships between various systems, departments, and business
processes. These vulnerabilities should be incorporated into the BIA, which
analyses the correlation between system components and the services they
provide.
Various tools can be used to analyse these critical interdependencies, such as a
work flow analysis, an organisational chart, a network topology, and inventory
records. A work flow analysis can be performed by observing daily operations
and interviewing employees to determine what resources and services are
shared among various departments. This analysis, in conjunction with the
other tools, will allow management to understand various processing
priorities, documentation requirements, and the interrelationships between
various systems. The following issues when determining critical
interdependencies within the organisation:

Key personnel;
Vital records;
Shared equipment, hardware, software, data files, and
workspace;
Production processes;
Customer services;
Network connectivity; and
Management information systems.

Key Considerations while Formulating A BCP:

Ensuring prompt and accurate processing of securities transactions,
including, but not limited to, order taking, order entry, execution,
comparison, allocation, clearance and settlement of securities
transactions, the maintenance of customer accounts, access to
customer accounts and the delivery of funds and securities.
 Honouring of all customer payouts (i.e. obligation)
Providing priority to intra-day deal payment
Providing customers prompt access to their funds and securities –
measures should be undertaken to make customer funds and
securities available to customers in the event of a significant business
disruption.
Continuing compliance with regulatory reporting requirements etc.
A single framework of BCP should be maintained to ensure that all plans are
consistent, and to identify priorities and dependencies for testing and
maintenance.

A BCP framework should consider the following:

Conditions for activating plans, which describe a process to be followed (how to

assess the situation, who is to be involved, etc.) before each plan is activated

Emergency procedures, which describe the actions to be taken following an

incident which jeopardises business operations and/ or human life. This
should include arrangements for public relations management and for
effective liaison with appropriate public authorities e.g. police, fire service,
health-care services and local government

Identification of the processing resources and locations, available to replace

those supporting critical activities; fall back procedures which describe the
actions to be taken to move essential business activities or support services
to alternative temporary locations and to bring business processes back into
operation in the required time-scales

Identification of information to be backed up and the location for storage, as well

as the requirement for the information to be saved for back-up purpose on a
stated schedule and compliance therewith

Resumption procedures, which describe the actions to be taken to return to

normal business operations

A maintenance schedule which specifies how and when the plan will be tested
and the process for maintaining the plan

Awareness and education activities, which are designed to create understanding

of critical banking operations and functions, business continuity processes
and ensure that the processes continue to be effective
 The responsibilities of the individuals, describing who is responsible for
executing which component of the plan. Alternatives should be nominated as
required.

Pandemic
(g)
Planning

Pandemics are defined as epidemics, or outbreaks in humans, of infectious

diseases thathave the ability to spread rapidly over large areas, possibly worldwide.
Adverse economic effects of a pandemic could be significant, both nationally and
internationally. Due to their crucial financial and economic role, financial institutions
should have plans in place that describe how they will manage through a pandemic
event.

Pandemic planning presents unique challenges to financial institution management.

Unlike natural disasters, technical disasters, malicious acts, or terrorist events, the
impact of a pandemic is much more difficult to determine because of the anticipated
difference in scale and duration. Further, while traditional disasters and disruptions
normally have limited time durations, pandemics generally occur in multiple waves,
each lasting two to three months. Consequently, no individual or organisation is safe
from the adverse effects that might result from a pandemic event.
One of the most significant challenges likely from a severe pandemic event will be
staffing shortages due to absenteeism. These differences and challenges highlight
the need for all financial institutions, no matter their size, to plan for a pandemic
event when developing their BCP.

It is important for institutions to actively keep abreast of international and national

developments and health advisories issued in this regard.

Accordingly, a bank’s BCP needs to provide for the following:

A preventive programme to reduce the likelihood that a bank’s operations

will be significantly affected by a pandemic event, including: monitoring of
potential outbreaks, educating employees, communicating and coordinating
with critical service providers and suppliers, in addition to providing
appropriate hygiene training and tools to employees.

A documented strategy that provides for scaling the institution’s pandemic

efforts so they are consistent with the effects of a particular stage of a
 pandemic outbreak, such as first cases of humans contracting the disease
overseas or in India and first cases within the organisation itself. The strategy
will also need to outline plans that state how to recover from a pandemic
wave and proper preparations for any following wave(s).

A comprehensive framework of facilities, systems, or procedures that

provide the organisation the capability to continue its critical operations in the
event that large numbers of the institution’s staff are unavailable for
prolonged periods. Such procedures could include social distancing to
minimise staff contact, telecommuting, redirecting customers from branch to
electronic banking services, or conducting operations from alternative sites.

The framework should consider the impact of customer reactions and the
potential demand for, and increased reliance on, online banking, telephone
banking, ATMs, and call support services. In addition, consideration should
be given to possible actions by public health and other government
authorities that may affect critical business functions of a financial institution.

A testing programme to ensure that the institution’s pandemic planning

practices and capabilities are effective and will allow critical operations to
continue.

An oversight programme to ensure ongoing review and updates to the

pandemic plan so that policies, standards, and procedures include up-to-
date, relevant information provided by governmental sources or by the
institution’s monitoring programme.

Banks may also consider insurance to transfer risk to a third party,

however taking due care regarding certainty of payments in the event of
disruptions.

Testing A BCP

– Banks must regularly test BCP to ensure that they are up to

date and effective: Testing of BCP should include all aspects and constituents
of a bank i.e. people, processes and resources (including technology). BCP, after
full or partial testing may fail. Reasons are incorrect assumptions, oversights or
changes in equipment or personnel. BCP tests should ensure that all members of
the recovery team and other relevant staff are aware of the plans. The test schedule
for BCPs should indicate how and when each component of a plan is to be tested. It
is recommended to test the individual components of the plans(s) frequently,
typically at a minimum of once a year. A variety of techniques should be used in
order to provide assurance that the plan(s) will operate in real life.

– Banks should involve their Internal Auditors (including IS

Auditors) to audit theeffectiveness of BCP: And its periodic testing as
part of their Internal Audit work and theirfindings/ recommendations in this regard
should be incorporated in their report to the Board of Directors.

– Banks should consider having a BCP drill planned along with

the critical third parties: In order to provide services and support to continue
with pre-identified minimal required processes.

– Banks should also periodically moving their operations: Including

people, processes and resources (IT and non-IT) to the planned fall-over or DR site
in order to test the BCP effectiveness and also gauge the recovery time needed to
bring operations to normal functioning.

– Banks should consider performing the above test without

movement of bank personnel tothe DR site . This will help in testing the
readiness of alternative staff at the DR site.

– Banks should consider having unplanned BCP drill: Wherein only a

restricted set of people and certain identified personnel may be aware of the drill
and not the floor or business personnel. In such cases banks should have a
“Lookout Team” deployed at the location to study and assimilate the responses and
needs of different teams. Based on the outcome of this study, banks should revise
their BCP Plan to suit the ground requirements.
3.1 Testing Techniques

The below are few of the illustrative techniques that can be used
for BCP testing purposes:

Table-top testing for scenarios (discussing business recovery arrangements

using example interruptions)
Simulations (particularly for training people in their post-incident or crisis
management roles)

Technical recovery testing (ensuring information systems can be restored

effectively)

Testing recovery at an alternate site (running business processes in parallel

with recovery operations away from the main site)
Tests of supplier facilities and services (ensuring externally provided services
and products will meet the contracted commitment)
Complete rehearsals (testing that the organisation, personnel, equipment,
facilities and processes can cope with interruptions)

Simulation testing: It is when participants choose a specific scenario and

simulate an on-location BCP situation. It involves testing of all resources: people, IT
and others, who are required to enable the business continuity for a chosen
scenario. The focus is on demonstration of capability, including knowledge, team
interaction and decision-making capabilities. It can also specify role playing with
simulated response at alternate locations/facilities to act out critical steps, recognise
difficulties, and resolve problems.

Component testing: This is to validate the functioning of an individual part or a

sub-process of a process, in the event of BCP invocation. It focuses on
concentrating on in-depth testing of the part or sub-process to identify and prepare
for any risk that may hamper its smooth running. For example, testing of ATM
switch.

Each organisation must define frequency, schedule and clusters of Business Areas,
selected for test after a through Risk and Business Impact Analysis has been done.
The bank can consider broad guidelines provided below for
determining the testing frequency based on critical of a process:

Impact on Table-top Call tree Simulation Component Complete

processes testing testing testing Rehearsals

High Quarterly Quarterly Quarterly Quarterly Annually

Medium Quarterly Half- Half-yearly Annually Annually

yearly

Low Half-yearly Annually NA NA NA

Maintenance and Re-assessment of Plans

BCPs should be maintained by annual reviews and updates to ensure their

continued effectiveness. Procedures should be included within the
organisation’s change management programme to ensure that business
continuity matters are appropriately addressed. Responsibility should be
assigned for regular reviews of each business continuity plan. The
identification of changes in business arrangements/processes, not yet
reflected in the business continuity plans, should be followed by an
appropriate update of the plan on a periodic basis, say quarterly. This would
require a process of conveying any changes to the institution’s business,
structure, systems, software, hardware, personnel, or facilities to the BCP
coordinator/team. If significant

changes have occurred in the business environment, or if audit findings

warrant changes to the BCP or test programme, the business continuity
policy guidelines and programme requirements should be updated
accordingly.
Changes should follow the bank’s formal change management process in
place for its policy or procedure documents. This formal change control
process should ensure that the updated plans are distributed and reinforced
by regular reviews of the complete plan.
 A copy of the BCP, approved by the Board, should be forwarded for perusal
to the RBI on an annual basis. In addition, the bank should also submit:

– An annual statement at the end of each financial year describing the

critical systems, their Rots and the bank’s strategy to achieve them, and

– A quarterly statement, reporting major failures during the period for critical
systems, customer segment or services impacted due to the failures and
steps taken to avoid such failures in future.

Procedural aspects of BCP

An effective BCP should take into account the potential of wide area
disasters, which impact an entire region, and for resulting loss or
inaccessibility of staff. It should also consider and address inter
dependencies, both market-based and geographic, among financial system
participants as well as infrastructure service providers.

Further, banks should also consider the need to put in place necessary
backup sites for their critical payment systems which interact with the
systems at the Data centres of the Reserve Bank.

Banks may also consider running some critical processes and business
operations from primary and the secondary sites, wherein each would
provide back-up to the other.

Namely prioritising process and alternative location for

personnel in the following categories:

• Dealers and traders

• Operations (e.g. teller, loan desk, cash desk etc.)

• Treasury department staff

• Sales staff
 • IT staff

• Corporate functions (HR, Admin) staff

• Comprehensive testing would help banks to further fine-tune BCP/DR

processes to ensure their robustness and also enable smooth switch-over
to the DR site, as per the priority and scale of processes identified for each
process.
All critical processes should be documented to reduce dependency on
personnel for scenarios where the staff is not able to reach the designated
office premises.

Backup/standby personnel should be identified for all critical roles. A call

matrix should be developed to better co-ordinate future emergency calls
involving individual financial authorities, financial sector trade associations,
and other banks and stakeholders. In addition the organisation should have
calling tree with branches

across specific region/business processes. Based on the nature of the

emergency a particular branch/the entire calling tree should be activated.

The relevant portion of the BCP adopted should also be disseminated to all
concerned, including the customers, so that the awareness would enable
them to react positively and in consonance with the BCP. This would help
maintain the customer’s faith on the banking institution, and the possibility of
a bank-run would be exponentially minimised. The part of the plan kept in the
public domain should normally be confined to information relating to the
general readiness of the banks in this regard without any detailed specifics,
to protect the banks from becoming vulnerable to security threats

Banks should consider formulating a clear ‘Communication Strategy’ with the

help of media management personnel to control the content and form of
news being percolated to their customers in times of panic.

Banks should consider having a detailed BCP plan for encountering natural
calamity/ disaster situation. A formal exception policy should be documented
which will guide the affected areas Personnel to act independently till
connection to the outside world is resumed.
 The above mentioned guideline should have exceptions documented for critical
process which will ensure continuation of critical process without the regular
operational formalities.

After appropriate approvals or permissions are obtained internally and from RBI,
banks should consider having a guideline ready on relaxing certain rules/
requirements for customers affected by the calamity.

Like:

Extending loan/interest payment timeliness

Issuance of fresh loan with minimal required documents

Waving off late payment fees and penalties in certain cases

Allowing more than normal cash withdrawal from ATM’s

Banks can consider expediting cheque clearing for customers by directing all
cheques to a different region than the one affected by the calamity. In case of
severe calamity banks should consider restricting existing loans to facilitate
rebuilding efforts by the Govt. for the calamity areas. The banks may also be
consider ensuring quick processing of loan applications, preferably within 48
hours of receipt of such applications. It should consider dispatching credit bill,
agreement notes, etc. due to customer by having an arrangement to print the
same at an alternative location and should consider accepting late payments
for credit card dues for customers in the calamity affected area.
Banks may also endeavor for resumption of banking services by setting up
satellite offices, extension counters or mobile banking facilities.

Infrastructure Aspects of BCP

– Banks should consider paying special attention to availability of basic amenities

such as electricity, water and first-aid box in all offices. (e.g. evaluate the need of
electricity backup not just for its systems but also for its people and running the
infrastructure like central air-conditioning.)

– Banks should consider assigning ownership for each area. Emergency

procedures, manual fallback plans and resumption plans should be within the
responsibility of the owners of the appropriate business resources or processes
involved.
– In-house telecommunications systems and wireless transmitters on buildings
should have backup power. Redundant systems, such as analogue line phones and
satellite phones (where appropriate), and other simple measures, such as ensuring
the availability of extra batteries for mobile phones, may prove essential to
maintaining communications in a wide-scale infrastructure failure.

– Possible fallback arrangements should be considered and alternative services

should be carried out in co-ordination with the service providers, contractors,
suppliers under written agreement or contract, setting out roles and responsibilities
of each party, for meeting emergencies. Also, imposition of penalties, including legal
action, may be initiated by an organisation against service providers or contractors
or suppliers, in the event of noncompliance or non-co-operation.

– When new requirements are identified, established emergency procedures: e.g.

evacuation plans or any existing fallback arrangements, should be amended as
appropriate.

– Banks may consider having backup resources (erg. stationery required for
cheque printing, special printers, stamps) at a secondary operational location.

– The plans may also suitably be aligned with those of the local government
authorities

– Banks should consider not storing critical papers, files, servers in the ground
floors where there is possibility of floods or water logging. However, banks should
also consider avoiding top floors in taller building to reduce impact due to probable
fire.

– Fire-proof and water-proof storage areas must be considered for critical

documents.

– Banks should consider having alternative means of power source (like

procurement of more diesel/ emergency battery backup etc.) for extended period of
power cuts.

– Banks should consider having an emergency helpline number or nationalised

IVR message to resolve queries of customers and ensure that panic situation is
avoided. For this an alternative backup area call centre should be identified to take
over part load of the calamity affected area. Designated person/ team must be
responsible for enabling line diversion. A similar service can also be considered for
the benefit of employee related communication.

Human Aspects of BCP

People are a vital component of any organisation. They should therefore be an

integral part of a BCP. Generally, plans are often too focused on the technical
issues, therefore, it is suggested that a separate section relating to people should
be incorporated, including details on staff welfare, counseling, relocation
considerations, etc. BCP awareness programmer should also be implemented
which serve to strengthen staff involvement in BCP. This can be done through
induction programme newsletters, staff training exercises, etc.

Banks must consider training more than one individual staff for specific critical jobs
(ire. in the absence on one employee the work must not be stalled or delayed).
They must consider crosstraining employees for critical functions and document-
operating procedures. Banks

should consider possibility of enabling work-from--home capabilities and resources

for employees performing critical functions.

Role of HR in the BCP context

Crisis Management Team: As a core member of the CMT, HR provides guidance

to team on people-related issues, including evacuation, welfare, whether to invoke
the HR incident line, alternative travel arrangements and what to communicate to
staff.

HR Incident Line: Operated from within the centralised HR function, the incident
helpline is invoked in those instances, where there are possible casualties or
missing staff, as a result of an incident. Invoked by the CMT, the line is manned by
qualified HR officers trained in how to deal with distressed callers. The staff may be
provided with an emergency card, which includes the incident line number.
Information on the hotline is updated on a regular basis. The facility enables line
managers to keep the central crisis team up to speed on the whereabouts and well-
being of staff. Ongoing welfare and support for staff is also provided via an
employee assistance provider.

Exceptional Travel arrangements: Transportation plans should be considered in

the event of the need to relocate. Key staff needs to be identified including details of
where they are located, and vehicles are on standby to transport them if required.

Technology Aspects of BCP

The are many applications and services in banking system that are highly mission
critical in nature and therefore requires high availability, and fault tolerance to be
considered while designing and implementing the solution. This aspect is to be
taken into account especially while designing the data centre solution and the
corporate network solution.

Data Recovery Strategies

Prior to selecting a data recovery (DR) strategy, a DR planner should refer to their
organisation's BCP, which should indicate key metrics of recovery point objective
and recovery time objective for business processes:

Recovery Point Objective (RPO)–The acceptable latency of data

that will be recovered

Recovery Time Objective (RTO)–The acceptable amount of time to

restore the function

Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for
each activity is not exceeded. The Recovery Time Objective must ensure that the
Maximum Tolerable Period of Disruption (MTPD), for each activity, is not exceeded.
The metrics specified for the business processes must then be mapped to the
underlying IT systems and infrastructure that support those processes. Once, RTO
and RPO metrics have been mapped to the IT infrastructure, the DR planner can
determine the most suitable recovery strategy for each system. An important note
here, however, is that the business ultimately sets the IT budget. Therefore, RTO
and RPO metrics need to fit with the available budget and the critical of the
business process/function.

A List of Common Strategies for Data Protection:

Backups made to tape and sent off-site at regular intervals (preferably daily)

Backups made to disk on-site and automatically copied to off-site disk, or made
directly to off-site disk

Replication of data to an off-site location, which overcomes the need to

restore the data (only the systems then need to be restored or synced).

This generally makes use of storage area network (SAN) technology

High availability systems that keep both data and system replicated, off-site,
enabling continuous access to systems and data

In many cases, an organisation may elect to use an outsourced disaster recovery

provider to provide a stand-by site and systems rather than using their own remote
facilities. In addition to preparing for the need to recover systems, organisations
must also implement precautionary measures with an objective of preventing a
disaster in the first place. Thesemay include some of the following:

Local mirrors of systems or data. Use of disk protection technology such as

RAID

Surge protectors—to minimise the effect of power surges on delicate electronic

equipment

Uninterrupted power supply (UPS) or backup generator to keep systems going

in the event of a power failure

Fire preventions—alarms, fire extinguishers

Anti-virus software and security measures

A disaster recovery plan is a part of the BCP. It dictates every facet
of the recovery process, including:
 What events denote possible disasters;

What people in the organisation have the authority to declare a

disaster and thereby put the plan into effect;

The sequence of events necessary to prepare the backup site once a

disaster has been declared;

The roles and responsibilities of all key personnel with respect to carrying
out the plan;

An inventory of the necessary hardware and software required to

restore production;

A schedule listing the personnel that will be staffing the backup site,
including a rotation schedule to support ongoing operations without
burning out the disaster team members.

A disaster recovery plan must be a living document; as the data centre changes, the
plan must be updated to reflect those changes.

It is to be noted that the technology issues are a derivative of the Business

Continuity plan and Management.

For example, BCP and Management will lead to the Business Impact Analysis,
which will lead to the Performance Impact Analysis (PIA). That will depend on the
Technology Performance of the total IT Solution Architecture.

To amplify business impact analysis is to identify the critical operations and

services, key internal and external dependencies and appropriate resilience levels.
It also analysis the risks and quantify the impact of those risks from the point of view
of the business disruptions. For example, in order to provide state of the art
customer services both at the branch level and the delivery channels we need to
take into account the services levels that are committed.

If an ATM transaction has to take place in 10 seconds and cash withdrawal or

deposit has to take place in 60 seconds at the counter, then based on the load one
can compute the number of customers who can be serviced in a day. The above
example is to understand the fact that the business latency introduced by the
system is a combination of technology, process and people. Therefore, the technical
latency is a derivative of the committed business latency and the technology
solution architecture has to deliver the same under varying loads.

Technology Solution Architecture to address specific BCM

requirements are:

Performance

Availability
Security and Access Control

Conformance to standards to ensure Interoperability

Performance of the technology solution architecture for operations needs to be

quantified. It should be possible to measure, as and when required, the quantified
parameters. (For example, if the latency for a complex transaction initiated at the
branch has to be completed in four seconds under peak load, it should be possible
to have adequate measuring environments to ensure that performance
degradations have not taken place due to increasing loads.)

Solution architecture has to be designed with high -availability, and no single

point of failure.It is inevitable that a complex solution architecture with point
products from different sources procured and implemented at different points in time
will have some outage once in a while and the important issue is that with clearly
defined SLAs, mean time to restore, it should be possible to identify the fault and
correct the same without any degradation in performance.

Accordingly, with respect to the performance and availability aspects the following
architectures have to be designed and configured to provide high levels of up time
round the clock to ensure uninterrupted functioning.

Summation of the required processes:

–Data centre solution architecture

 –DR solution architecture

–Near site solution architecture

–Enterprise network and security architecture

– Branch or delivery channel architecture

– Based on the above observation, banks are required to do the

following: Take up theperformance and availability audit of the solutions
deployed to ensure that the architecture is designed and implemented with no
single point of failure.

– Audit the deployed architecture for all the mission critical applications and
services and resolve the concerns that arise in a time bound manner.

– Periodically investigate the outages that are experienced from time to time,
which are mini disasters that result in non availability of services for a short span of
time, systems not responding when transactions are initiated at the branch level,
delivery channels not functioning for a brief period of time to ensure that the
customer service is not affected.
Compiled by Srinivas Kante [email protected]
– Ensure availability of appropriate technology solutions to measure and monitor
the functioning of products. And, have competent and capable technical people
within the system to resolve issues expeditiously.

The issues detailed above have to be borne in mind while finalising the data centre
architecture and the corporate network architecture which are expected to have
redundancy built in the solution with no single point of failure.

With reference to the network architecture it is recommended that

the Banks built in redundancies as under:

Link level redundancy

 Path level redundancy

Route level redundancy

Equipment level redundancy

Service provider level redundancy

Issues in choosing a backup site and implementing a DC or DR

solution:

Backup site: Is a location where an organisation can easily relocate following a

disaster, such as fire, flood, terrorist threat or other disruptive event. This is an
integral part of the disaster recovery plan and wider business continuity planning of
an organisation. A backup site can be another location operated by the organisation,
or contracted via a company that specialises in disaster recovery services. In some
cases, an organisation will have an agreement with a second organisation to
operate a joint backup site.

There are three main types of backup sites:

cold sites

warm sites

hot sites

Differences between them are determined by costs and effort required to implement
each.

Another term used to describe a backup site is a work area recovery site.

Cold Sites: A cold site is the most inexpensive type of backup site for an
organisation tooperate. It does not include backed up copies of data and information
from the original location of the organisation, nor does it include hardware already
 set up. The lack of hardware contributes to the minimal start up costs of the cold
site, but requires additional time following the disaster to have the operation running
at a capacity close to that prior to the disaster.
Hot Sites: A hot site is a duplicate of the original site of the organisation, with
fullcomputer systems as well as near-complete backups of user data. Real-time
synchronisation between the two sites may be used to mirror the data environment
of the original site, using wide area network links and specialised software.
Following a disruption to the original site, the hot site exists so that the organisation
can relocate with minimal losses to normal operations. Ideally, a hot site will be up
and running within a matter of hours or even less. Personnel may still have to be
moved to the hot site so it is possible that the hot site may be operational from a
data processing perspective before staff has relocated. The capacity of the hot site
may or may not match the capacity of the original site depending on the
organisation's requirements. This type of backup site is the most expensive to

operate. Hot sites are popular with organisations that operate real time processes such
as financial institutions, government agencies and ecommerce providers

Warm Sites: A warm site is, quite logically, a compromise between hot and cold.
Thesesites will have hardware and connectivity already established, though on a
smaller scale than the original production site or even a hot site. Warm sites will have
backups on hand, but they may not be complete and may be between several days and
a week old. An example would be backup tapes sent to the warm site by courier

8.1 The following issues arise in choosing a back up site and

implementing a DC/DR solution:

Solution architectures of DC and DR are not identical for all the applications and
services. Critical applications and services, namely the retail, corporate, trade finance
and government business solutions as well as the delivery channels are having the
same DR configurations whereas surround or interfacing applications do not have the
DR support. Banks will have to conduct periodical review with reference to the above
aspect and upgrade the DR solutions from time to time and ensure that all the critical
applications and services have a perfect replica in terms of performance and
availability.

The configurations of servers, network devices and other products at the DC and DR
have to be identical at all times. This includes the patches that are applied at the DC
periodically and the changes made to the software from time to time by customization
and parameterization to account for the regulatory requirements, system changes etc .

Periodic checks with reference to ensuring data and transaction integrity between DC
and DR are mandatory. It could be done over the week end or as a part of the EoD /
BoD process.

Solutions have to have a defined Recovery Time Objective (RTO) and Recovery
Point Objective (RPO) parameter. These two parameters have a very clear bearing on
the technology aspects as well as the process defined for cut over to the DR and the
competency levels required moving over in the specified time frame.

Values chosen for the RTO and RPO is more to follow the industry practice and not
derived from first principles. Therefore, the DR drills that are conducted periodically
have to ensure that the above parameters are strictly complied with.

Technology operations processes which support business operations (such as EOD/

BOD) need to formally included into the IT Continuity Plan.

Banks may also consider Recovery Time Objective and Recovery Point Objectives
(RTO/ RPO) for services being offered and not just a specific application. For example--
for internet portal and not retail banking. This is done to avoid any inconsistency in
business users understanding.
DR drills currently conducted periodically come under the category of planned
shutdown. Banks have to evolve a suitable methodology to conduct the drills which are
closer to the real disaster scenario so that the confidence levels of the technical team
taking up this exercise is built to address the requirement in the event of a real disaster.

It is also recommended that the support infrastructure at the DC and DR, namely the
electrical systems, air-conditioning environment and other support systems have no
single point of failure and do have a building management and monitoring system to
constantly and continuously monitor the resources. If it is specified that the solution has
a high availability of
95 measured on a monthly basis and a mean time to restore of 2 hrs in the event of
any failure, it has to include the support system also.

Data replication mechanism followed between DC and DR is the asynchronous

replication mechanism and implemented across the industry either using database
replication techniques or the storage based replication techniques. They do have
relative merits and demerits. The RTO and RPO discussed earlier, along with the
replication mechanism used and the data transfer required to be accomplished during
the peak load will decide the bandwidth required between the DC and the DR. The
RPO is directly related to the latency permissible for the transaction data from the DC
to update the database at the DR. Therefore, the process implemented for the data
replication requirement has to conform to the above and with no compromise to data
and transaction integrity.

Given the need for drastically minimizing the data loss during exigencies and enable
quick recovery and continuity of critical business operations, banks may need to
consider near site DR architecture. Major banks with significant customer delivery
channel usage and significant participation in financial markets/payment and settlement
systems may need to have a plan of action for creating a near site DR architecture over
the medium term (say, within three years).

8.2 Issues/Challenges in DC/DR implementation by the Banks

Despite considerable advances in equipment and telecommunications design and

recovery services, IT disaster recovery is becoming challenging. Continuity and
recovery aspects are impacting IT strategy and cost implications are challenging
IT budgets.

The time window for recovery is shrinking in face of the demand for 24 / 365
operations. Some studies claim that around 30 percent of high-availability
applications have to be recovered in less than three hours. A further 45 percent
within 24 hours, before losses become unsustainable; others claim that 60
percent of Enterprise Resource Planning (ERP) Systems have to be restored in
under 24 hours. This means that traditional off-site backup and restore methods
are often no longer adequate. It simply takes too long to recover incremental and
full image backups of various inter-related applications (backed up at different
times), synchronise them and re-create the position as at disaster. Continuous
operation–data mirroring to off-site locations and standby computing and
telecommunications–may be the only solution.

A risk assessment and business impact analysis should establish the justification for
continuity for specific IT and telecommunication services and applications.

Achieving robust security (security assurance) is not a onetime activity. It cannot be

obtained just by purchasing and installing suitable software and hardware. It is a
continuous process that requires regular assessment of the security health of
the organisation and proactive steps to detect and fix any vulnerability. Every
bank should have in place quick and reliable access to expertise for tracking
suspicious behavior, monitoring users and performing forensics. Adequate
reporting to the authorities concerned – such as the RBI/ IDRBT/CERT-In and
other institutions should be an automatic sub process whenever such events
occur.
Important steps that need to be institutionalised are the following:

Rigorous self-assessment of security measures by banks and comprehensive

security audit by external agencies, as detailed under the “Chapter on
Information Security” earlier.

Random Security Preparedness. It is proposed that a sufficiently large

``question bank'' related to security health of the organization be prepared and
given to RBI's inspection teams who go for inspection of banks. A random subset
of these queries could then be given to a bank’s IT team for which answers need
to be provided in near real time. Sample checks related to user accounts could
be the number of new accounts, terminated accounts, most active accounts.
There could also be demonstrations of data recovery from archives.

Telecommunications issues may also arise: It is important to ensure that relevant

links are in place and that communications capability is compatible. The
adequacy of voice and data capacity needs to be checked. Telephony needs to
be switched from the disaster site to the standby site. A financial institution’s
BCP should consider addressing diversity guidelines for its telecommunications
capabilities. This is particularly important for the financial services sector that
provides critical payment, clearing, and settlement processes; however, diversity
guidelines should be considered by all financial institutions and should be
commensurate with the institution’s size, complexity, and overall risk profile.
Diversity guidelines may include arrangements with multiple telecommunications
providers. However, diverse routing may be difficult to achieve since primary
telecommunications carriers may have an agreement with the same sub-carriers
to provide local access service, and these sub-carriers may also have a contract
with the same local access service providers. Financial institutions do not have
any control over the number of circuit segments that will be needed, and they
typically do not have a business relationship with any of the sub-carriers.
Consequently, it is important for financial institutions to understand the
relationship between their primary telecommunications carrier and these various
sub-carriers and how this complex network connects to their primary and back-
up facilities. To determine whether telecommunications providers use the same
sub-carrier or local access service provider, banks may consider performing an
end-to-end trace of all critical or sensitive circuits to search for single points of
failure such as a common switch, router, PBX, or central telephone office.

Banks may consider the following telecommunications diversity

components to enhance BCP:

Alternative media, such as secure wireless systems

 Internet protocol networking equipment that provides easily configurable
re-routing and traffic load balancing capabilities

Local services to more than one telecommunications carrier’s central

office, or diverse physical paths to independent central offices

Multiple, geographically diverse cables and separate points of entry

Frame relay circuits that do not require network interconnections, which

often causes delays due to concentration points between frame relay
providers

Separate power sources for equipment with generator or uninterrupted

power supply back-up

(vii) Separate connections to back-up locations

Regular use of multiple facilities in which traffic is continually split

between the connections; and
Separate suppliers for hardware and software infrastructure needs.

Banks need to monitor their service relationship with telecommunications providers:

In order to manage the inherent risks more effectively. In coordination with
vendors, management should ensure that risk management strategies include

the following, at a minimum:

– Establish service level agreements that address contingency measures

and change management for services provided;

– Ensure that primary and back-up telecommunications paths do not share

a single point of
failure
 – Establish processes to periodically inventory and validate
telecommunications circuits and routing paths through comprehensive testing.

Some vendors offer a drop-ship service as an alternative to occupying the standby

site. That is, in the event of equipment failure, for instance, they will drop off a
replacement rather than insist the client occupy the standby site, with all the
inconvenience that may involve. But it is essential that a site survey is
undertaken to ensure they can be parked on the required site. Most commercial
standby sites offering IT and work area recovery facilities do not guarantee a
service: the contract merely provides access to the equipment. Although most
reputable vendors will negotiate a Service Level Agreement that specifies the
quality of the service, it is rarely offered.

It is important to ensure that a bank’s service will not suffer from unacceptable
downtime or response. The vendor may have skilled staff available – but this is
rarely guaranteed and they come at a cost. In terms of cost, there may be additional
fees to pay for testing, on invocation of a disaster, and for occupation in a disaster.
The vendor charging structure also needs to be carefully considered.

Outsourcing Risks: In theory a commercial hot or warm standby site is available 24 /

365. It has staff skilled in assisting recovery. Its equipment is constantly kept up
to date, while older equipment remains supported. It is always available for use
and offers testing periods once or twice a year. The practice may be different.
These days, organizations have a wide range of equipment from different
vendors and different models from the same vendor. Not every commercial
standby site is able to support the entire range of equipment that a bank may
have. Instead, vendors form alliances with others – but this may mean that a
bank’s recovery effort is split between more than one standby site. The standby
site may not have identical IT equipment: instead of the use of an identical piece
of equipment, it will offer a partition on a compatible large computer or server.
Operating systems and security packages may not be the same version as the
client usually uses. These aspects may cause setbacks when attempting
recovery of IT systems and applications – and weak change control at the
recovery site could cause a disaster on return to the normal site.

It is the responsibility of the IT manager/bank to ensure effective recovery by those

vendors, who apply the highest standards, supporting this by a stringent contract,
clearly defining service specifications and technical requirements, and service-level
agreements.
Information and network security
Introduction:

Information and the knowledge based on it have increasingly become recognized as

‘information assets’, which are vital enablers of business operations. Hence, they
require organizations to provide adequate levels of protection. For banks, as purveyors
of money in physical form or in bits and bytes, reliable information is even more critical
and hence information security is a vital area of concern.

Robust information is at the heart of risk management processes in a bank. Inadequate

data quality is likely to induce errors in decision making. Data quality requires building
processes, procedures and disciplines for managing information and ensuring its
integrity, accuracy, completeness and timeliness. The fundamental attributes supporting
data quality should include accuracy, integrity, consistency, completeness, validity,
timeliness, accessibility, usability and auditability. The data quality provided by various
applications depends on the quality and integrity of the data upon which that
information is built. Entities that treat information as a critical organizational asset are in
a better position to manage it proactively.

Information security not only deals with information in various channels like spoken,
written, printed, electronic or any other medium but also information handling in terms
of creation, viewing, transportation, storage or destruction .This is in contrast to IT
security which is mainly concerned with security of information within the boundaries of
the network infrastructure technology domain. From an information security
perspective, the nature and type of compromise is not as material as the fact that
security has been breached.

To achieve effective information security governance, bank management must

establish and maintain a framework to guide the development and maintenance of a
comprehensive information security programme.

Basic Principles of Information Security:

For over twenty years, information security has held confidentiality, integrity and
availability (known as the CIA triad) to be the core principles. There is continuous
debate about extending this classic trio. Other principles such as Authenticity, Non-
repudiation and accountability are also now becoming key considerations for practical
security installations.

Confidentiality: Confidentiality is the term used to prevent the disclosure

ofinformation to unauthorized individuals or systems. For example, a credit card
transaction on the Internet requires the credit card number to be transmitted
from the buyer to the merchant and from the merchant to a transaction
processing network. The system attempts to enforce confidentiality by encrypting
the card number during transmission, by limiting the places where it might
appear (in databases, log files, backups, printed receipts, and so on), and by
restricting access to the places where it is stored. If an unauthorized party
obtains the card number in any way, a breach of confidentiality has occurred.
Breaches of confidentiality take many forms like Hacking, Phishing, Vishing,
Email-spoofing, SMS spoofing, and sending malicious code through email or Bot
Networks, as discussed earlier.
Integrity: In information security, integrity means that data cannot be
modifiedwithout authorization. This is not the same thing as referential integrity
in databases.
Integrity is violated when an employee accidentally or with malicious intent
deletes important data files, when he/she is able to modify his own salary in a
payroll database, when an employee uses programmes and deducts small
amounts of money from all customer accounts and adds it to his/her own
account (also called salami technique), when an unauthorized user vandalizes a
web site, and so on.

On a larger scale, if an automated process is not written and tested correctly,

bulk updates to a database could alter data in an incorrect way, leaving the
integrity of the data compromised. Information security professionals are tasked
with finding ways to implement controls that prevent errors of integrity.

Availability: For any information system to serve its purpose, the information
mustbe available when it is needed. This means that the computing systems
used to store and process the information, the security controls used to protect
it, and the communication channels used to access it must be functioning
correctly. High availability systems aim to remain available at all times,
preventing service disruptions due to power outages, hardware failures, and
system upgrades. Ensuring availability also involves preventing denial-of-service
(DoS) and distributed denial-of service (DDoS) attacks.

Authenticity: In computing, e-business and information security it is

necessary toensure that the data, transactions, communications or documents
(electronic or physical) are genuine. It is also important for authenticity to
validate that both parties involved are who they claim they are.

Non-repudiation: In law, non-repudiation implies one's intention to fulfill

one’sobligations under a contract / transaction. It also implies that a party to a
transaction cannot deny having received or having sent an electronic record.
Electronic commerce uses technology such as digital signatures and encryption
to establish authenticity and non-repudiation.

In addition to the above, there are other security-related concepts and principles
when designing a security policy and deploying a security solution. They include
identification, authorization, accountability, and auditing.

Identification: Identification is the process by which a subject professes an

identityand accountability is initiated. A subject must provide an identity to a
system to start the process of authentication, authorization and accountability.
Providing an identity can be typing in a username, swiping a smart card, waving
a proximity device, speaking a phrase, or positioning face, hand, or finger for a
camera or scanning device. Proving a process ID number also represents the
identification process. Without an identity, a system has no way to correlate an
authentication factor with the subject.

Authorization: Once a subject is authenticated, access must be authorized.

Theprocess of authorization ensures that the requested activity or access to an
object is possible given the rights and privileges assigned to the authenticated
identity. In most cases, the system evaluates an access control matrix that
compares the subject, the object, and the intended activity. If the specific action
is allowed, the subject is authorized. Else, the subject is not authorized.

Accountability and auditability: An organization’s security policy can be

properlyenforced only if accountability is maintained, i.e., security can be
maintained only if subjects are held accountable for their actions. Effective
accountability relies upon the capability to prove a subject’s identity and track
their activities. Accountability is established by linking a human to the activities of
an online identity through the

security services and mechanisms of auditing, authorization, authentication, and

identification. Thus, human accountability is ultimately dependent on the strength
of the authentication process. Without a reasonably strong authentication
process, there is doubt that the correct human associated with a specific user
 account was the actual entity controlling that user account when an undesired
action took place.

Information Security Governance

Information security governance consists of the leadership, organizational structures

and processes that protect information and mitigation of growing information security
threats like the ones detailed above.

Critical outcomes of information security governance include:

Alignment of information security with business strategy to support

organizational objectives

Management and mitigation of risks and reduction of potential impacts on

information resources to an acceptable level

Management of performance of information security by measuring, monitoring

and reporting information security governance metrics to ensure that
organizational objectives are achieved Optimisation of information security
investments in support of organizational objectives

It is important to consider the organisational necessity and benefits of information

security governance. They include increased predictability and the reduction of
uncertainty in business operations, a level of assurance that critical decisions are not
based on faulty information, enabling efficient and effective risk management,
protection from the increasing potential for legal liability, process improvement, reduced
losses from security-related events and prevention of catastrophic consequences and
improved reputation in the market and among customers.

A comprehensive security programme needs to include the following main activities:

Development and ongoing maintenance of security policies

Assignment of roles, responsibilities and accountability for information security
Development/maintenance of a security and control framework that consists of
standards, measures, practices and procedures
Classification and assignment of ownership of information assets
 Periodic risk assessments and ensuring adequate, effective and tested
controls for people, processes and technology to enhance information
security Ensuring security is integral to all organizational processes
Processes to monitor security incidents
Effective identity and access management processes
Generation of meaningful metrics of security performance
Information security related awareness sessions to users/officials including
senior officials and board members

Organizational Structure, Roles and Responsibilities:

Boards of Directors/Senior Management

The Board of Directors is ultimately responsible for information security. Senior

Management is responsible for understanding risks to the bank to ensure that they are
adequately addressed from a governance perspective. To do so effectively requires
managing risks, including information security risks, by integrating information security
governance in the

overall enterprise governance framework of the organization. It is reported that the

effectiveness of information security governance is dependent on the involvement of
the Board/senior management in approving policy and appropriate monitoring of the
information security function.

The major role of top management involves implementing the Board approved
information security policy, establishing necessary organizational processes for
information security and providing necessary resources for successful information
security. It is essential that senior management establish an expectation for strong
cyber security and communicate this to their officials down the line. It is also essential
that the senior organizational leadership establish a structure for implementation of an
information security programme to enable a consistent and effective information
security programme implementation apart from ensuring the accountability of
individuals for their performance as it relates to cyber security.

Given that today’s banking is largely dependent on IT systems and since most of the
internal processing requirements of banks are electronic, it is essential that adequate
security systems are fully integrated into the IT systems of banks. It would be optimal to
classify these based on the risk analysis of the various systems in each bank and
specific risk mitigation strategies need to be in place.
Information security team/function

Banks should form a separate information security function/group to focus exclusively

on information security management. There should be segregation of the duties of the
Security Officer/Group dealing exclusively with information systems security and the
Information Technology Division which actually implements the computer systems. The
organization of the information security function should be commensurate with the
nature and size of activities of a bank including a variety of e-banking systems and
delivery channels of a bank. The information security function should be adequately
resourced in terms of the number of staff, level of skills and tools or techniques like risk
assessment, security architecture, vulnerability assessment, forensic assessment, etc.
While the information security group/function itself and information security governance
related structures should not be outsourced, specific operational components relating
to information security can be outsourced, if required resources are not available within
a bank. However, the ultimate control and responsibility rests with the bank.

Information Security Committee

Since information security affects all aspects of an organization, in order to consider

information security from a bank -wide perspective a steering committee of executives
should be formed with formal terms of reference. The Chief Information Security Officer
would be the member secretary of the Committee. The committee may include, among
others, the Chief Executive Officer (CEO) or designee, chief financial officer (CFO),
business unit executives, Chief Information Officer (CIO)/ IT Head, Heads of human
resources, legal, risk management, audit, operations and public relations.
A steering committee serves as an effective communication channel for management’s
aims and directions and provides an ongoing basis for ensuring alignment of the
security programme with organizational objectives. It is also instrumental in achieving
behavior change toward a culture that promotes good security practices and
compliance with policies.

Major responsibilities of the Information Security Committee, inter-alia, include:

Developing and facilitating the implementation of information security policies,

standards and procedures to ensure that all identified risks are managed within
a bank’s risk appetite
 Approving and monitoring major information security projects and the status of
information security plans and budgets, establishing priorities, approving
standards and procedures

Supporting the development and implementation of a bank-wide information

security management programme
Reviewing the position of security incidents and various information security
assessments and monitoring activities across the bank
Reviewing the status of security awareness programmes
Assessing new developments or issues relating to information security
Reporting to the Board of Directors on information security activities
Minutes of the Steering Committee meetings should be maintained to document the
committee’s activities and decisions and a review on information security needs to be
escalated to the Board on a quarterly basis.

Chief information security officer (CISO)

A sufficiently senior level official, of the rank of GM/DGM/AGM, should be designated

as Chief Information Security Officer, responsible for articulating and enforcing the
policies that banks use to protect their information assets apart from coordinating the
security related issues / implementation within the organization as well as relevant
external agencies. The CISO needs to report directly to the Head of Risk Management
and should not have a direct reporting relationship with the CIO. However, the CISO
may have a working relationship with the CIO to develop the required rapport to
understand the IT infrastructure and operations, to build effective security in IT across
the bank, in tune with business requirements and objectives.

Critical components of information security:

Policies and procedures:

Banks need to frame Board approved Information Security Policy and identify
and implement appropriate information security management
measures/practices keeping in view their business needs.
The policies need to be supported with relevant standards, guidelines and
procedures. A policy framework would, inter-alia, incorporate/take into
consideration the following:

An information security strategy that is aligned with business objectives

and the legal requirements
 Objectives, scope, ownership and responsibility for the policy
Information security organisational structure
Information security roles and responsibilities that may include
information
security-specific roles like IT security manager/officer, administrators,
information security specialists and information asset-specific roles like
owners, custodians, endusers

⠀̀ ⤀Ā Ā Periodic reviews of the policy – at least annually and in the

event of significant changes necessitating revision

⠀̀ ⤀ Ā Ā A periodic compliance review of the policy – about the adherence of

users to information security policies and put up to the information
security committee.
⠀̀ ⤀ Ā Ā Exceptions: An exception policy for handling instances of non-
compliance with the information security policy including critical aspects
like exception criteria including whether there is genuine need for
exceptions, management of the exception log or register, authority to
grant exemptions, expiry of exceptions and the periodicity of review of
exceptions granted. Where exemptions are granted, banks need to
review and assess the adequacy of compensating controls initially and on
an ongoing basis. A sign -off needs to be obtained from the CISO on the
exceptions

Penal measures for violation of policies and the process to be followed in

the event of violation

Identification, authorisation and granting of access to IT assets (by

individuals and other IT assets)

Addressing the various stages of an IT asset’s life to ensure that

information security requirements are considered at each stage of the
lifecycle
An incident monitoring and management process to address the
identification and classification of incidents, reporting, escalation,
preservation of evidence, the investigation process

Management of technology solutions for information security like a

firewall, antivirus/anti-malware software, intrusion detection/prevention
systems, cryptographic systems and monitoring/log analysis
tools/techniques
Management and monitoring of service providers that provides for
overseeing the management of information security risks by third parties
 Clearly indicating acceptable usage of IT assets including application
systems that define the information security responsibilities of users (staff,
service providers and customers) in regard to the use of IT assets
Requirements relating to recruitment and selection of qualified staff and
external contractors that define the framework for vetting and monitoring
of personnel, taking into account the information security risk

Strategy for periodic training and enhancing skills of information security

personnel, requirement of continuous professional education
Specific policies that would be required include, but not limited to, the
following:
Logical Access Control
Asset Management
Network Access Control
Password management
E-mail security
Remote access
Mobile computing
Network security
Application security
Backup and archival
Operating system security
Database administration and security
Physical security
Capacity Management
Incident response and management
Malicious software
IT asset/media management
Change Management
Patch Management
Internet security
Desktop
Encryption
Security of electronic delivery channels

Wireless security
Application/data migration

Accountability for security is increased through clear job descriptions,

employment agreements and policy awareness acknowledgements. It is
important to communicate the general and specific security roles and
responsibilities for all employees within their job descriptions. The job
descriptions for security personnel should also clearly describe the systems and
processes they will protect and their responsibility towards control processes.
 Management should expect all employees, officers and contractors/consultants
to comply with security and acceptable-use policies and protect the institution’s
assets, including information.

Given the critical role of security technologies as part of the information security
framework, banks need to subject them to suitable controls across their lifecycle
like guidelines on their usage, standards and procedures indicating the detailed
objectives and requirements of individual information security-specific
technology solutions, authorisation for individuals who would be handling the
technology, addressing segregation of duties issues, appropriate configurations
of the devices that provide the best possible security, regularly assessing their
effectiveness and fine-tuning them accordingly, and identification of any
unauthorised changes.

Digital evidence is similar to any other form of legal proof - it needs to withstand
challenges to its integrity, its handling must be carefully tracked and
documented, and it must be suitably authenticated by concerned personnel as
per legal requirements. Since the evidence resides on or is generated by a
digital device, a trained information security official or skilled digital forensics
examiner may need to be involved in the handling process to ensure that any
material facts is properly preserved and introduced. A suitable policy needs to be
in place in this regard.

Risk Assessment

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When
a threat does use a vulnerability to inflict harm, it has an impact. In the context of
information security, the impact is a loss of availability, integrity and confidentiality,
and possibly other losses (lost income, loss of life, loss of property).
Risk assessment is the core competence of information security management. The
risk assessment must, for each asset within its scope, identify the
threat/vulnerability combinations that have a likelihood of impacting the
confidentiality, availability or integrity of that asset - from a business, compliance or
contractual perspective. Standards like ISO27001 and ISO 27002 are explicit in
requiring a risk assessment to be carried out before any controls are selected and
implemented and are equally explicit that the selection of every control must be
justified by a risk assessment.
In broad terms, the risk management process consists of:
Identification of assets and estimation of their value. Some aspects to be included
are people, buildings, hardware, software, data (electronic, print) and supplies
 Conducting a threat assessment which may include aspects like acts of nature, acts
of war, accidents, malicious acts originating from inside or outside the
organization

Conducting a vulnerability assessment for each vulnerability and calculating the

probability that it will be exploited. Evaluating policies, procedures, standards,
training, physical security, quality control and technical security in this regard
Calculating the impact that each threat would have on each asset through
qualitative or quantitative analysis
Identifying, selecting and implementing appropriate controls. Providing proportional
response including considerations like productivity, cost effectiveness, and the
value of the asset

Evaluating the effectiveness of the control measures. Ensuring the controls provide
the required cost-effective protection.

The process of risk management is an ongoing iterative process. The business

environment is constantly changing and new threats and vulnerabilities emerge
every day. The choice of countermeasures or controls used to manage risks must
strike a balance between productivity, cost-effectiveness of the countermeasure
and the value of the informational asset being protected. The risk assessment
should be carried out by a team of people who have knowledge of specific areas of
the business. The assessment may use a subjective qualitative analysis based on
informed opinion, or where reliable figures and historical information is available,
quantitative analysis.

Quantitative methods involve assigning numerical measurements that can be

entered into the analysis to determine total and residual risks. The various aspects
that are considered a part of measurements include costs to safeguard the
information and information systems, value of that information and those systems,
threat frequency and probability, and the effectiveness of controls. A shortcoming
of quantitative methods is a lack of reliable and predictive data on threat frequency
and probability. This shortcoming is generally addressed by assigning numeric
values based on qualitative judgments.

Qualitative analysis involves the use of scenarios and attempts to determine the
seriousness of threats and the effectiveness of controls. Qualitative analysis is by
definition subjective, relying upon judgment, knowledge, prior experience and
industry information. Qualitative techniques may include walk-throughs,
surveys/questionnaires, interviews and specific workgroups to obtain information
about the various scenarios.
 Inventory and information/data classification

Effective control requires a detailed inventory of information assets. Such a list is the
first step in classifying the assets and determining the level of protection to be provided
to each asset.

The inventory record of each information asset should, at the least, include:

A clear and distinct identification of the asset

Its relative value to the organization

Its location
Its security/risk classification
Its asset group (where the asset forms part of a larger information
system)
Its owner
Its designated custodian

Information assets have varying degrees of sensitivity and criticality in meeting

business objectives. By assigning classes or levels of sensitivity and criticality to
information resources and establishing specific security rules/requirements for each
class, it is possible to define the level of access controls that should be applied to each
information asset. Classification of information reduces the risk and cost of over- or
under - protecting information resources in aligning security with business objectives
since it helps to build and maintain a consistent and uniform perspective of the security
requirements for information assets throughout the organization. ISO 27001 standards
require the inventorying of information assets and the classification, handling and
labelling of information in accordance with preset guidelines.
Defining roles and responsibilities

All defined and documented responsibilities and accountabilities must be established

and communicated to all relevant personnel and management. Some of the major ones
include:

Information owner

This is a business executive or business manager who is responsible for a bank’s

business information asset. Responsibilities would include, but not be limited to:
 Assigning initial information classification and periodically reviewing the
classification to ensure it still meets business needs
Ensuring security controls are in place commensurate with the classification
Reviewing and ensuring currency of the access rights associated with
information assets they own

Determining security requirements, access criteria and backup requirements

for the information assets they own

Information custodian

The information custodian, usually an information systems official, is the delegate of

the information owner with primary responsibilities for dealing with backup and
recovery of the business information. Responsibilities include, but are not limited to,
the following:

Performing backups according to the backup requirements established by the

information owner
When necessary, restoring lost or corrupted information from backup media to
return the application to production status

Ensuring record retention requirements are met based on the information

owner’s requirements

Application owner

The application owner is the manager of the business line who is fully accountable for
the performance of the business function served by the application. Responsibilities,
inter-alia, include:

Establishing user access criteria, availability requirements and audit trails for
their applications
Ensuring security controls associated with the application are commensurate
with support for the highest level of information classification used by the
application

Performing or delegating the following - day-to-day security administration,

approval of exception access requests, appropriate actions on security violations
when notified by the security administration, the review and approval of all
changes to the application prior to being placed in the production environment,
and verification of the currency of user access rights to the application
User manager

The user manager is the immediate manager or supervisor of an employee or HR

official of the business function in which an employee works. He has the ultimate
responsibility for all user IDs and information assets owned by bank employees. In the
case of non employee individuals such as contractors, consultants, etc., this manager
is responsible for the activity and for the bank assets used by these individuals. He/she
is usually the manager responsible for hiring the outside contractor. Responsibilities
include the following:

ĀȀĀЀĀĀ̀ Ā Informing security administration of the termination of any employee so

that the user ID owned by that individual can be revoked, suspended or made
inaccessible in a timely manner

ĀȀĀЀĀĀ̀ Ā Informing security administration of the transfer of any employee if

the transfer involves the change of access rights or privileges

ĀȀĀЀĀĀ̀ Ā Reporting any security incident or suspected incident to the

Information Security function
ĀȀĀЀĀĀ̀ Ā Ensuring that employees are aware of relevant security policies,
procedures and standards to which they are accountable

Security Administrator

Security administrators have the powers to set system-wide security controls or

administer user IDs and information resource access rights. These security
administrators usually report to the Information Security function. Responsibilities
include the following:

Understanding different data environments and the impact of granting access to

them

Ensuring access requests are consistent with the information directions and security
guidelines
Administering access rights according to criteria established by the Information
Owners
Creating and removing user IDs as directed by the user manager
Administering the system within the scope of their job description and functional
responsibilities

Distributing and following up on security violation reports

End user

The end users would be any employees, contractors or vendors of the bank who use
information systems resources as part of their job. Responsibilities include :
Maintaining confidentiality of log-in password(s)
Ensuring security of information entrusted to their care
Using bank business assets and information resources for management
approved purposes only
Adhering to all information security policies, procedures, standards and

guidelines Promptly reporting security incidents to management.

Access Control

An effective process for access to information assets is one of the critical

requirements of information security. Internal sabotage, clandestine espionage or
furtive attacks by trusted employees, contractors and vendors are among the
most serious potential risks that a bank faces. Current and past employees,
contractors, vendors and those who have an intimate knowledge of the inner
workings of the bank’s systems, operations and internal controls have a
significant advantage over external attackers. A successful attack could
jeopardise customer confidence in a bank’s internal control systems and
processes.

Hence, access to information assets needs to be authorised by a bank only

where a valid business need exists and only for the specific time period that the
access is required. The various factors that need to be considered when
authorising access to users and information assets, inter-alia, include business
role, physical location, method of connectivity, remote access, time, anti-malware
and patch updation status, nature of device used and software /operating
system.
The provision of access involves various stages like identification and
authentication which involves determination of the person or IT asset requesting
access and confirmation of the purported identity and authorisation. This
involves an assessment of whether access is allowed to an information asset by
the request or based on the needs of the business and the level of information
security required. These processes are applicable to both users as well as IT
assets.
A bank should take appropriate measures to identify and authenticate users or IT
assets. The required strength of authentication needs to be commensurate with
risk. Common techniques for increasing the strength of identification and
 authentication include the use of strong password techniques (i.e. increased
length, complexity, re-use limitations and frequency of change) and increasing
the number and/or type of authentication factors used.
The examples where increased authentication strength may be required, given
the risks involved include : administration or other privileged access to sensitive
or critical IT assets, remote access through public networks to sensitive assets
and activities carrying higher risk like third-party fund transfers, etc. The period
for which authentication is valid would need to be commensurate with the risk.
Among the important controls that banks need to consider are:
A systematic process of applying and authorizing the creation of user
ids and the access control matrix

Conducting a risk assessment and granting access rights based on the

same. For example, contractors and temporary staff would have higher
inherent risks

Implementation of role-based access control policies designed to

ensure effective segregation of duties
Changing default user names and/or passwords of systems and
prohibiting sharing of user ids and passwords including generic
accounts

Modification of access rights whenever there is a change in role or

responsibility and removal of access rights on cessation of employment
Processes to notify in a timely manner the information security function
regarding user additions, deletions and role changes
Periodic reconciliation of user ids in a system and actual users required to have
access and deletion of unnecessary ids, if any

Audit of logging and monitoring of access to IT assets by all users

Regular reviews of user access by information asset owners to ensure
appropriate access is maintained
Applying the four-eyes principle to very critical/sensitive IT assets
Considering de-activating user ids of users of critical applications who
are on prolonged leave
(vii) Banks may consider using automated solutions to enable effective access
control and management of user ids. Such solutions should also be managed
effectively to ensure robust access management.

For accountability purposes, a bank should ensure that users and IT assets are
uniquely identified and their actions are auditable.

Transaction processes and systems should be designed to ensure that no single

employee/outsourced service provider could enter, authorize and complete a
transaction. Segregation should be maintained between those initiating static
 data (including web page content) and those responsible for verifying its integrity.
Further, segregation should be maintained between those developing and those
administering e-banking systems.

E-banking systems should be tested to ensure that segregation of duties cannot

be bypassed.
Mutual authentication system may be considered. Mutual Authentication, also
called two-way authentication, is a security feature in which a client process must
prove his identity to a server, and the server must prove its identity to the client,
before any application traffic is sent over the client-to-server connection. Identity
can be proved through a trusted third party and use of shared secrets or through
cryptographic means as with a public key infrastructure. For e.g., with the mutual
authentication implemented, a connection can occur only when the client trusts
the server's digital certificate and the server trusts the client's certificate. The
exchange of certificates will happen through special protocols like the Transport
Layer Security (TLS) protocol. This process reduces the risk that an unsuspecting
network user will inadvertently reveal security information to a malicious or
insecure web site.

System administrators, security officers, programmers and staff performing

critical operations invariably possess the capability to inflict severe damage on the
banking systems they maintain or operate by virtue of their job functions and
privileged access. Personnel with elevated system access entitlements should be
closely supervised with all their systems activities logged, as they have inside
knowledge and the resources to circumvent systems controls and security
procedures. Some of the control and security practices enumerated below needs
to be considered:

Implementing two-factor authentication for privileged users

Instituting strong controls over remote access by privileged users
Restricting the number of privileged users

Granting privileged access on a “need-to-have” or “need-to-do” basis

Maintaining audit logging of system activities performed by privileged
users Ensuring that privileged users do not have access to systems logs
in which their activities are being captured
Conducting regular audit or management review of the logs
Prohibiting sharing of privileged IDs and their access codes
Disallowing vendors and contractors from gaining privileged
access to systems without close supervision and monitoring

Protecting backup data from unauthorized access.

Information security and information asset life-cycle

Information security needs to be considered at all stages of an information asset’s
life-cycle like planning, design, acquisition and implementation, maintenance and
disposal. Banks need to apply systematic project management oriented
techniques to manage material changes during these stages and to ensure that
information security requirements have been adequately addressed.
Planning and design level controls need to be in place to ensure that information
security is embodied in the overall information systems architecture and the
implemented solutions are in compliance with the information security policies
and requirements of a bank.

Ongoing support and maintenance controls would be needed to ensure that IT

assets continue to meet business objectives. Major controls in this regard
include change management controls to ensure that the business objectives
continue to be met following change; configuration management controls to
ensure that the configuration minimises vulnerabilities and is defined, assessed,
maintained and managed; deployment and environment controls to ensure that
development, test and production environments are appropriately segregated;
and patch management controls to manage the assessment and application of
patches to software that addresses known vulnerabilities in a timely manner

The other relevant controls include service level management, vendor

management, capacity management and configuration management which are
described in later chapters. Decommissioning and destruction controls need to
be used to ensure that information security is not compromised as IT assets
reach the end of their useful life. (for example, through archiving strategies and
deletion of sensitive information prior to the disposal of IT assets.)

Personnel security

Application owners grant legitimate users access to systems that are necessary to
perform their duties and security personnel enforce the access rights in
accordance with institution standards. Because of their internal access levels
and intimate knowledge of financial institution processes, authorized users pose
a potential threat to systems and data. Employees, contractors, or third-party
employees can also exploit their legitimate computer access for malicious or
fraudulent reasons. Further, the degree of internal access granted to some users
can increase the risk of accidental damage or loss of information and systems.

Risk exposures from internal users include altering data, deleting production and
back-up data, disrupting/destroying systems, misusing systems for personal gain
or to damage the institution, holding data hostage and stealing strategic or
customer data for espionage or fraud schemes.

Banks should have a process to verify job application information on all new
employees. Additional background and credit checks may be warranted based
 on the sensitivity of a particular job or access level. Personnel with privileged
access like administrators, cyber security personnel, etc. should be subjected to
rigorous background checks and screening. Institutions should verify that
contractors are subject to similar screening procedures. The verification
considerations would include:

Character references – business and personal

Confirmation of prior experience, academic record, and professional
qualifications
Confirmation of identity through a government issued identification
There also needs to be a periodic rotation of duties among users or personnel as
a prudent risk measure.

Physical security

The confidentiality, integrity, and availability of information can be impaired

through physical access and damage or destruction to physical components.
Conceptually, those physical security risks are mitigated through zone-oriented
implementations. Zones are physical areas with differing physical security
requirements. The security requirements of each zone are a function of the
sensitivity of the data contained or accessible through the zone and the
information technology components in the zone.

The requirements for each zone should be determined through the risk
assessment. The risk assessment should include, but is not limited to, threats
like aircraft crashes, chemical effects, dust, electrical supply interference,
electromagnetic radiation, explosives, fire, smoke, theft/destruction,
vibration/earthquake, water, criminals, terrorism, political issues (e.g. strikes,
disruptions) and other threats based on the entity’s unique geographical location,
building configuration, neighboring environment/entities, etc.
A bank needs to deploy the following environmental controls:
Secure location of critical assets providing protection from natural and man-
made threats

Restrict access to sensitive areas like data centres, which also includes
detailed procedures for handling access by staff, third party providers and
visitors
Suitable preventive mechanisms for various threats indicated above
Monitoring mechanisms for the detection of compromises of environmental
controls relating to temperature, water, smoke, access alarms, service
availability alerts (power supply, telecommunication, servers), access log
reviews etc
 User Training and Awareness

It is acknowledged that the human link is the weakest link in the information security
chain. Hence, there is a vital need for an initial and ongoing training and information
security awareness programme. The programme may be periodically updated keeping
in view changes in information security, threats/vulnerabilities and/or the bank’s
information security framework. There needs to be a mechanism to track the
effectiveness of training programmes through an assessment/testing process designed
on testing the understanding of the relevant information security policies, not only
initially but also on a periodic basis. At any point of time, a bank needs to maintain an
updated status on user training and awareness relating to information security and the
matter needs to be an important agenda item during Information Security Committee
meetings.

Some of the areas that could be incorporated as part of the user awareness
programme include:

Relevant information security policies/procedures

Acceptable and appropriate usage of IT assets

Access controls including standards relating to passwords and other authentication
requirements

Measures relating to proper email usage and internet usage

Physical protection
Remote computing and use of mobile devices
Safe handling of sensitive data/information
Being wary of social engineering attempts to part with confidential details
Prompt reporting of any security incidents and concerns

Incident management

Incident management is defined as the process of developing and maintaining

the capability to manage incidents within a bank so that exposure is contained
and recovery achieved within a specified time objective. Incidents can include
the misuse of computing assets, information disclosure or events that threaten
the continuance of business processes.

Major activities that need to be considered as part of the incident management

framework include:
 Developing and implementing processes for preventing, detecting,
analyzing and responding to information security incidents
Establishing escalation and communication processes and lines of
authority
Developing plans to respond to and document information security
incidents Establishing the capability to investigate information security
incidents through various modes like forensics, evidence collection and
preservation, log analysis, interviewing, etc.

Developing a process to communicate with internal parties and external

organizations
(e.g., regulator, media, law enforcement, customers)
Integrating information security incident response plans with the
organization’s disaster recovery and business continuity plan
Organizing, training and equipping teams to respond to information
security incidents

Periodically testing and refining information security incident response

plans
Conducting post-mortem analysis and reviews to identify causes of
information security incidents, developing corrective actions and
reassessing risk, and adjusting controls suitably to reduce the related
risks in the future

Common incident types include, but not limited to, outages/degradation of

services due to hardware, software or capacity issues, unauthorised access to
systems, identity theft, data leakage/loss, malicious software and hardware,
failed backup processes, denial of service attacks and data integrity issues.

A bank needs to have clear accountability and communication strategies to limit

the impact of information security incidents through defined mechanisms for
escalation and reporting to the Board and senior management and customer
communication, where appropriate. Incident management strategies would also
typically assist in compliance with regulatory requirements. Institutions would
also need to pro-actively notify CERT-In/IDRBT/RBI regarding cyber security
incidents.

All security incidents or violations of security policies should be brought to the

notice of the CISO.
 Application Control and Security:

Financial institutions have different types of applications like the core banking
system, delivery channels like ATMs, internet banking, mobile banking, phone
banking, network operating systems, databases, enterprise resource management
(ERP) systems, customer relationship management (CRM) systems, etc., all used
for different business purposes. Then these institutions have partners, contractors,
consultants, employees and temporary employees. Users usually access several
different types of systems throughout their daily tasks, which makes controlling
access and providing the necessary level of protection on different data types
difficult and full of obstacles. This complexity may result in unforeseen and
unidentified holes in the protection of the entire infrastructure including overlapping
and contradictory controls, and policy and regulatory noncompliance.

There are well-known information systems security issues associated with

applications software, whether the software is developed internally or acquired from
an external source .Attackers can potentially use many different paths through the
application to do harm to the business. Each of these paths represents a risk that
may or may not be serious enough to warrant attention. Sometimes, these paths
are easy to find and exploit and sometimes they are extremely difficult. Similarly, the
harm that is caused may range from minor to major. To determine the risk to itself, a
bank can evaluate the likelihood associated with the threat agent, attack vector, and
security weakness and combine it with an estimate of the technical and business
impact to the organization. Together, these factors determine the overall risk.

The following are the important Application control and risk mitigation measures
that need to be implemented by banks:
Each application should have an owner which will typically be the
concerned
business function that uses the application
Some of the roles of application owners
include:
Prioritizing any changes to be made to the application and authorizing
the changes
Deciding on data classification/de-classification and archival/purging
procedures for the data pertaining to an application as per relevant
policies/regulatory/statutory requirements
Ensuring that adequate controls are built into the application through
active involvement in the application design, development, testing and
change process
Ensuring that the application meets the business/functional needs of
the users Ensuring that the information security function has reviewed
the security of the application
Taking decisions on any new applications to be acquired / developed
or any old applications to be discarded
Informing the information security team regarding purchase of an
application and assessing the application based on the security policy
requirements Ensuring that the Change Management process is
followed for any changes in application
Ensuring that the new applications being purchased/developed follow
the
Information Security policy
Ensuring that logs or audit trails, as required, are enabled and
monitored for the applications
All application systems need to be tested before implementation in a
robust manner regarding controls to ensure that they satisfy business
policies/rules of the bank and regulatory and legal
prescriptions/requirements. Robust controls need to be built into the
system and reliance on any manual controls needs to be minimized.
Before the system is live, there should be clarity on the audit trails and the
specific fields that are required to be captured as part of audit trails and
an audit trail or log monitoring process including personnel responsible for
the same.

A bank needs to incorporate information security at all stages of software

development. This would assist in improving software quality and
minimizing exposure to vulnerabilities. Besides business functionalities,
security requirements relating to system access control, authentication,
transaction authorization, data integrity, system activity logging, audit trail,
security event tracking and exception handling are required to be clearly
specified at the initial stages of system development/acquisition. A
compliance check against the bank’s security standards and
regulatory/statutory requirements would also be required.

All application systems need to have audit trails along with

policy/procedure of log monitoring for such systems including the clear
allocation of responsibility in this regard. Every application affecting
critical/sensitive information, for example, impacting financial, customer,
control, regulatory and legal aspects, must provide for detailed audit trails/
logging capability with details like transaction id, date, time, originator id,
authorizer id, actions undertaken by a given user id, etc. Other details like
logging the IP address of the client machine, terminal identity or location
may also be considered.

Applications must also provide for, inter-alia, logging unsuccessful logon

attempts, access to sensitive options in the application, e.g., master
record changes, granting of access rights, use of system utilities, changes
in system configuration, etc.
The audit trails need to be stored as per a defined period as per any
internal/regulatory/statutory requirements and it should be ensured that
they are not tampered with.

There should be documented standards/procedures for administering the

application, which are approved by the application owner and kept up-to-
date.
The development, test and production environments need to be properly
segregated.
Access should be based on the principle of least privilege and “need to
know” commensurate with the job responsibilities. Adequate segregation
of duties needs to be enforced.
There should be controls on updating key ‘static’ business information like
customer master files, parameter changes, etc.

Any changes to an application system/data need to be justified by

genuine business need and approvals supported by documentation and
subjected to a robust change management process. The change
management would involve generating a request, risk assessment,
authorization from an appropriate authority, implementation, testing and
verification of the change done.

Potential security weaknesses / breaches (for example, as a result of

analyzing user behaviour or patterns of network traffic) should be
identified.

There should be measures to reduce the risk of theft, fraud, error and
unauthorized changes to information through measures like supervision
of activities and segregation of duties.
Applications must not allow unauthorized entries to be updated in the
database. Similarly, applications must not allow any modifications to be
made after an entry is authorized. Any subsequent changes must be
made only by reversing the original authorized entry and passing a fresh
entry.
Direct back-end updates to database should not be allowed except during
exigencies, with a clear business need and after due authorization as per
the relevant policy.

Access to the database prompt must be restricted only to the database

administrator. Robust input validation controls, processing and output
controls needs to be built in to the application.
There should be a procedure in place to reduce the reliance on a few key
individuals.

Alerts regarding use of the same machine for both maker and checker
transactions need to be considered.
There should be a proper linkage between a change request and the
corresponding action taken. For example, the specific accounting head or
code which was created as a result of a specific request should be
established clearly.

Error / exception reports and logs need to be reviewed and any issues
need to be remedied /addressed at the earliest.
Critical functions or applications dealing with financial, regulatory and
legal, MIS and risk assessment/management, (for example, calculation of
capital adequacy, ALM, calculating VaR, risk weighted assets, NPA
classification and provisioning, balance sheet compilation, AML system,
revaluation of foreign currency balances, computation of MTM gains /
losses, etc.,) needs to be done through proper application systems and
not manually or in a semi-automated manner through spreadsheets.
These pose risks relating to data integrity and reliability. Use of
spreadsheets in this regard should be restricted and should be replaced
by appropriate IT applications within a definite time-frame in a phased
manner.
Banks may obtain application integrity statements in writing from the
application system vendors providing for reasonable level of assurance
about the application being free of malware at the time of sale, free of any
obvious bugs, and free of any covert channels in the code (of the version
of the application being delivered as well as any subsequent
versions/modifications done).
For all critical applications, either the source code must be received from
the vendor or a software escrow agreement should be in place with a
third party to ensure source code availability in the event the vendor goes
out of business. It needs to be ensured that product updates and
programme fixes are also included in the escrow agreement.
Applications should be configured to logout the users after a specific
period of inactivity. The application must ensure rollover of incomplete
transactions and otherwise ensure integrity of data in case of a log out.

There should be suitable interface controls in place. Data transfer from

one process to another or from one application to another, particularly for
critical systems, should not have any manual intervention in order to
prevent any unauthorized modification. The process needs to be
automated and properly integrated with due authentication mechanism
and audit trails by enabling “Straight Through Processing” between
applications or from data sources to replace any manual
intervention/semi-automated processes like extracting data in text files
and uploading to the target system, importing to a spreadsheet, etc.
Further, proper validations and reconciliation of data needs to be carried
out between relevant interfaces/applications across the bank. The bank
needs to suitably integrate the systems and applications, as required, to
enhance data integrity and reliability.
Multi-tier application architecture needs to be considered for relevant

critical systems like internet banking systems which differentiate session

control, presentation logic, server side input validation, business logic and

database access.
 In the event of data pertaining to Indian operations being stored and/or
processed abroad, for example, by foreign banks, there needs to be
suitable controls like segregation of data and strict access controls based
on ‘need to know’ and robust change controls. The bank should be in a
position to adequately prove the same to the regulator. Regulator’s
access to such data/records and other relevant information should not be
impeded in any manner and RBI would have the right to cause an
inspection to be made of the processing centre/data centre and its books
and accounts by one or more of its officers or employees or other
persons.
An application security review/testing, initially and during major changes,
needs to be conducted using a combination of source code review, stress
loading, exception testing and compliance review to identify insecure
coding techniques and systems vulnerabilities to a reasonable extent.

Critical application system logs/audit trails also need to be backed up as

part of the application backup policy.
Robust System Security Testing, in respect of critical e-banking systems,
needs to incorporate, inter-alia, specifications relating to information
leakage, business logic, authentication, authorization, input data
validation, exception/error handling, session management, cryptography
and detailed logging, as relevant. These need to be carried out atleast on
annual basis.

Migration controls:

There needs to be a documented Migration Policy indicating the requirement of

road-map / migration plan / methodology for data migration (which includes
verification of completeness, consistency and integrity of the migration activity
and pre and post migration activities along with responsibilities and timelines for
completion of same). Explicit sign offs from users/application owners need to be
obtained after each stage of migration and after complete migration process.
Audit trails need to be available to document the conversion, including data
mappings and transformations.
The key aspects that are required to be considered include:

a. Integrity of data— indicating that the data is not altered manually or

electronically by a person, programme, substitution or overwriting in the
new system. Integrity thus, includes error creep due to factors like
transposition, transcription, etc.
 Completeness— ensuring that the total number of records from the source
database is transferred to the new database (assuming the number of
fields is the same)
Confidentiality of data under conversion—ensuring that data is backed up
before migration for future reference or any emergency that might arise
out of the data migration process

Consistency of data— the field/record called for from the new application
should be consistent with that of the original application. This should
enable consistency in repeatability of the testing exercise
Continuity—the new application should be able to continue with newer
records as addition (or appendage) and help in ensuring seamless
business continuity

It is a good practice that the last copy of the data before conversion from the old
platform and the first copy of the data after conversion to the new platform are
maintained separately in the archive for any future reference.

The error logs pertaining to the pre-migration/ migration/ post migration period
along with root cause analysis and action taken need to be available for review.

Banks may need to migrate the complete transaction data and audit trails from
the old system to the new system. Else, banks should have the capability to
access the older transactional data and piece together the transaction trail
between older and newer systems, to satisfy any supervisory/legal requirements
that may arise.

Implementation of new technologies:

Banks need to carry out due diligence with regard to new technologies since
they can potentially introduce additional risk exposures. A bank needs to
authorise the large scale use and deployment in production environment of
technologies that have matured to a state where there is a generally agreed set
of industry-accepted controls and robust diligence and testing has been carried
out to ascertain the security issues of the technology or where compensating
controls are sufficient to prevent significant impact and to comply with the
institution’s risk appetite and regulatory expectations.

Any new business products introduced along with the underlying information
systems need to be assessed as part of a formal product approval process
which incorporates, inter-alia, security related aspects and fulfilment of relevant
 legal and regulatory prescriptions. A bank needs to develop an authorisation
process involving a risk assessment balancing the benefits of the new
technology with the risk.

Encryption

Encryption Types:

Symmetric encryption is the use of the same key and algorithm by the creator and
reader of a file or message. The creator uses the key and algorithm to encrypt, and the
reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If
the key is captured by an attacker, either when it is exchanged between the
communicating parties, or while one of the parties uses or stores the key, the attacker
can use the key and the algorithm to decrypt messages or to masquerade as a
message creator.

Asymmetric encryption lessens the risk of key exposure by using two mathematically
related keys, the private key and the public key. When one key is used to encrypt, only
the other key can decrypt. Therefore, only one key (the private key) must be kept
secret. The key that is exchanged (the public key) poses no risk if it becomes known.
For instance, if individual A has a private key and publishes the public key, individual B
can obtain the public key, encrypt a message to individual A, and send it. As long as an
individual keeps his private key secure from disclosure, only individual A will be able to
decrypt the message.

Typical areas or situations requiring deployment of cryptographic techniques,

given the risks involved, include transmission and storage of critical and/or
sensitive data/information in an ‘un-trusted’ environment or where a higher
degree of security is required, generation of customer PINs which are typically
used for card transactions and online services, detection of any unauthorised
alteration of data/information and verification of the authenticity of transactions or
data/information.
Since security is primarily based on the encryption keys, effective key
management is crucial. Effective key management systems are based on an
agreed set of standards, procedures, and secure methods that address

Generating keys for different cryptographic systems and different

applications Generating and obtaining public keys and distributing keys to
intended users, including how keys should be activated when received
Storing keys, including how authorized users obtain access to keys and
changing or updating keys, including rules on when keys should be changed
and how this will be done
 Dealing with compromised keys, revoking keys and specifying how keys
should be withdrawn or deactivated
Recovering keys that are lost or corrupted as part of business continuity
management
Archiving, destroying keys
Logging the auditing of key management-related activities
Instituting defined activation and deactivation dates, limiting the usage period
of keys

Secure key management systems are characterized by the following

precautions:

Additional physical protection of equipment used to generate, store and

archive cryptographic keys
Use of cryptographic techniques to maintain cryptographic key confidentiality
Segregation of duties, with no single individual having knowledge of the
entire cryptographic key (i.e. two-person controls) or having access to all the
components making up these keys

Ensuring key management is fully automated (e.g., personnel do not have

the opportunity to expose a key or influence the key creation)
Ensuring no key ever appears unencrypted
Ensuring keys are randomly chosen from the entire key space, preferably by
hardware Ensuring key-encrypting keys are separate from data keys. No
data ever appears in clear text that was encrypted using a key-encrypting
key. (A key encrypting key is used to encrypt other keys, securing them from
disclosure.)
Make sure that keys with a long life are sparsely used. The more a key is
used, the greater the opportunity for an attacker to discover the key

Ensuring keys are changed frequently.

Ensuring keys that are transmitted are sent securely to well-authenticated
parties. Ensuring key-generating equipment is physically and logically secure
from construction through receipt, installation, operation, and removal from
service.

Normally, a minimum of 128-bit SSL encryption is expected. Constant advances

in computer hardware, cryptanalysis and distributed brute force techniques may
induce use of larger key lengths periodically. It is expected that banks will
properly evaluate security requirements associated with their internet banking
systems and other relevant systems and adopt an encryption solution that is
commensurate with the degree of confidentiality and integrity required. Banks
should only select encryption algorithms which are well established international
standards and which have been subjected to rigorous scrutiny by an
 international cryptographer community or approved by authoritative professional
bodies, reputable security vendors or government agencies.

Data security

Banks need to define and implement procedures to ensure the integrity and
consistency of all data stored in electronic form, such as databases, data
warehouses and data archives.
A data security theory seeks to establish uniform risk-based requirements for the
protection of data elements. To ensure that the protection is uniform within and
outside of the institution, tools such as data classifications and protection profiles
can be used, as indicated earlier in the chapter.

Data classification and protection profiles are complex to implement when the
network or storage is viewed as a utility. Because of that complexity, some
institutions treat all information at that level as if it were of the highest sensitivity
and implement encryption as a protective measure. The complexity in
implementing data classification in other layers or in other aspects of an
institution’s operation may result in other risk mitigation procedures being used.
Adequacy is a function of the extent of risk mitigation, and not the procedure or
tool used to mitigate risk.
Policies regarding media handling, disposal, and transit should be implemented to
enable the use of protection profiles and otherwise mitigate risks to data. If
protection profiles are not used, the policies should accomplish the same goal as
protection profiles, which is to deliver the same degree of residual risk without
regard to whether the information is in transit or storage, who is directly controlling
the data, or where the storage may be.
There should be secure storage of media. Controls could include physical and
environmental controls such as fire and flood protection, limiting access by means
like physical locks, keypad, passwords, biometrics, etc., labelling, and logged
access. Management should establish access controls to limit access to media,
while ensuring that all employees have authorization to access the minimum data
required to perform their responsibilities. More sensitive information such as
system documentation, application source code, and production transaction data
should have more extensive controls to guard against alteration (e.g., integrity
checkers, cryptographic hashes). Furthermore, policies should minimize the
distribution of sensitive information, including printouts that contain the information.
Periodically, the security staff, audit staff, and data owners should review
authorization levels and distribution lists to ensure they remain appropriate and
current.
The storage of data in portable devices, such as laptops and PDAs, poses unique
problems. Mitigation of those risks typically involves encryption of sensitive data,
host-provided access controls, etc.
Banks need appropriate disposal procedures for both electronic and paper based
media. Contracts with third-party disposal firms should address acceptable
disposal procedures. For computer media, data frequently remains on media after
erasure. Since that data can be recovered, additional disposal techniques should
be applied to sensitive data like physical destruction, overwriting data, degaussing
etc.

Banks should maintain the security of media while in transit or when shared with
third parties. Policies should include contractual requirements that incorporate
necessary risk-based controls, restrictions on the carriers used and procedures to
verify the identity of couriers.

Banks should encrypt customer account and transaction data which is transmitted,
transported, delivered or couriered to external parties or other locations, taking into
account all intermediate junctures and transit points from source to destination.
A few other aspects that also needs to be considered include appropriate blocking,
filtering and monitoring of electronic mechanisms like e-mail and printing and
monitoring for unauthorised software and hardware like password cracking
software, key loggers, wireless access points, etc.

Concerns over the need to better control and protect sensitive information have
given rise to a new set of solutions aimed at increasing an enterprise’s ability to
protect its information assets. These solutions vary in their capabilities and
methodologies, but collectively they have been placed in a category known as data
leak prevention (DLP). It provides a comprehensive approach covering people,
processes, and systems that identify, monitor, and protect data in use (e.g.,
endpoint actions), data in motion (e.g., network actions), and data at rest (e.g.,
data storage) through deep content inspection and with a centralized management
framework.

Most DLP solutions include a suite of technologies that facilitate three key
objectives:

Locate and catalogue sensitive information stored throughout the enterprise

Monitor and control the movement of sensitive information across

enterprise networks

Monitor and control the movement of sensitive information on end-user

systems Banks may consider such solutions, if required, after assessing their
potential to improve data security.

Vulnerability Assessment
Soon after new vulnerabilities are discovered and reported by security researchers
or vendors, attackers engineer the malicious exploit code and then launch that
code against targets of interest. Any significant delays in finding or fixing software
with critical vulnerabilities provides ample opportunity for persistent attackers to
break through, gaining control over the vulnerable machines and getting access to
the sensitive data they contain. Banks that do not scan for vulnerabilities and
address discovered flaws proactively face a significant likelihood of having their
computer systems compromised.
The following are some of the measures suggested:
Automated vulnerability scanning tools need to be used against all
systems on their networks on a periodic basis, say monthly or weekly or
more frequently.
Banks should ensure that vulnerability scanning is performed in an
authenticated mode (i.e., configuring the scanner with administrator
credentials) at least quarterly, either with agents running locally on each
end system to analyze the security configuration or with remote scanners
that are given administrative rights on the system being tested, to
overcome limitations of unauthenticated vulnerability scanning.
Banks should compare the results from back-to-back vulnerability scans
to verify that vulnerabilities were addressed either by patching,
implementing a compensating control, or by documenting and accepting a
reasonable business risk. Such acceptance of business risks for existing
vulnerabilities should be periodically reviewed to determine if newer
compensating controls or subsequent patches can address vulnerabilities
that were previously accepted, or if conditions have changed increasing
the risk.

Vulnerability scanning tools should be tuned to compare services that are

listening on each machine against a list of authorized services. The tools
should be further tuned to identify changes over time on systems for both
authorized and unauthorized services.
The security function should have updated status regarding numbers of
unmitigated, critical vulnerabilities, for each department/division, plan for
mitigation and should share vulnerability reports indicating critical issues
with senior management to provide effective incentives for mitigation.

Establishing on-going security monitoring processes

A bank needs to have robust monitoring processes in place to identify events and
unusual activity patterns that could impact on the security of IT assets. The
strength of the monitoring controls needs to be proportionate to the criticality of an
IT asset. Alerts would need to be investigated in a timely manner, with an
appropriate response determined.
 Common monitoring processes include activity logging (including exceptions to
approved activity), for example, device, server, network activity, security sensor
alerts; monitoring staff or third-party access to sensitive data/information to ensure
it is for a valid business reason, scanning host systems for known vulnerabilities,
checks to determine if information security controls are operating as expected and
are being complied with, checking whether powerful utilities / commands have
been disabled on attached hosts by using tools like ‘network sniffer’), environment
and customer profiling, checking for the existence and configuration of
unauthorised wireless networks by using automated tools, discovering the
existence of unauthorised systems by using network discovery and mapping tools
and detecting unauthorised changes to electronic documents and configuration
files by using file integrity monitoring software.

Banks’ networks should be designed to support effective monitoring. Design

considerations include network traffic policies that address the allowed
communications between computers or groups of computers, security domains
that implement the policies, sensor placement to identify policy violations and
anomalous traffic, nature and extent of logging, log storage and protection and
ability to implement additional sensors on an ad hoc basis when required.
Banks would need to establish a clear allocation of responsibility for regular
monitoring, and the processes and tools in this regard should be in a position to
manage the volume of monitoring required, thereby reducing the risk of an incident
going undetected.

Highly sensitive and/or critical IT assets would need to have logging enabled to
record events and monitored at a level proportional to the level of risk.
Users, like system administrators, with elevated access privileges should be
subjected to a greater level of monitoring in light of the heightened risks involved.

The integrity of the monitoring logs and processes should be safeguarded through
appropriate access controls and segregation of duties.
Banks should frequently review all system accounts and disable any account that
cannot be associated with a business process and business owner. Reports that
may be generated from systems and reviewed frequently may include, among
others, a list of locked out accounts, disabled accounts, accounts with passwords
that exceed the maximum password age, and accounts with passwords that never
expire.
Banks should establish and follow a process for revoking system access by
disabling accounts immediately upon termination of an employee or contractor.
Banks should regularly monitor the use of all accounts, automatically logging off
users after a standard period of inactivity.

Banks should monitor account usage to determine dormant accounts that have not
been used for a given period, say 15 days, notifying the user or user’s manager of
the dormancy. After a longer period, say 30 days, the account may be disabled.
On a periodic basis, say monthly or quarterly basis, banks should require that
managers match active employees and contractors with each account belonging to
their managed staff.
Security/system administrators should then disable accounts that are not assigned
to active employees or contractors.

Banks should monitor attempts to access deactivated accounts through audit

logging.
Banks should validate audit log settings for each hardware device and the software
installed on it, ensuring that logs include a date, timestamp, source addresses,
destination addresses, and various other useful elements of each packet and/or
transaction. Systems should record logs in a standardized format such as syslog
entries. If systems cannot generate logs in a standardized format, banks need to
deploy log normalization tools to convert logs into a standardized format.
System administrators and information security personnel should consider devising
profiles of common events from given systems, so that they can tune detection to
focus on unusual activity, reducing false positives, more rapidly identify anomalies,
and prevent overwhelming the analysts with insignificant alerts.

The following technologies/factors provide capabilities for effective attack detection

and analysis:

Security Information and Event Management (SIEM) - SIEM products

provide situational awareness through the collection, aggregation,
correlation and analysis of disparate data from various sources. The
information provided by these tools help in understanding the scope of an
incident.
Intrusion Detection and Prevention System (IDS and IPS) - IPS products
that have detection capabilities should be fully used during an incident to
limit any further impact on the organization. IDS and IPS products are
often the primary source of information leading to the identification of an
attack. Once the attack has been identified, it is essential to enable the
appropriate IPS rule sets to block further incident propagation and to
support containment and eradication.
Network Behaviour Analysis (NBA) - Network wide anomaly-detection
tools will provide data on traffic patterns that are indicative of an incident.
Once an incident has been identified through the use of these tools, it is
important to capture that information for the purposes of supporting
further mitigation activities, including operational workflow to ensure that
the information from these tools is routed to the appropriate response
team.
Managed Security Service Provider (MSSP) - If an organization has
outsourced security event management to an MSSP, the latter should
provide notification when an incident requires attention. Organisation
 must obtain as much information on the incident as possible from MSSP
and implement remediation steps as recommended by MSSP.

Banks also need to pro-actively monitor various authentic sources like CERT-In,
security vendors, etc. for any security related advisories and take suitable
measures accordingly.

Security measures against Malware:

Malicious software is an integral and a dangerous aspect of internet based threats

which target end-users and organizations through modes like web browsing, email
attachments, mobile devices, and other vectors. Malicious code may tamper with a
system's contents, and capture sensitive data. It can also spread to other systems.
Modern malware aims to avoid signaturebased and behavioral detection, and may
disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware
software, collectively referred to as anti-malware tools, help defend against these
threats by attempting to detect malware and block their execution.

Typical controls to protect against malicious code use layered combinations of

technology, policies and procedures and training. The controls are of the
preventive and detective/corrective in nature. Controls are applied at the host,
network, and user levels:
At host level: The various measures at the host level include host
hardening(including patch application and proper security configurations of the

operating system (OS), browsers, and other network-aware software),

considering implementing host-based firewalls on each internal computer and
especially laptops assigned to mobile users. Many host-based firewalls also
have application hashing capabilities, which are helpful in identifying applications
that may have been trojanized after initial installation, considering host IPS and
integrity checking software combined with strict change controls and
configuration management, periodic auditing of host configurations, both manual
and automated.

At network level: The various measures include limiting the transfer of

executable files through the perimeter, IDS and IPS monitoring of incoming and
outgoing network traffic, including anti-virus, anti-spyware and signature and
anomaly-based traffic monitors, routing Access Control Lists(ACLs) that limit
incoming and outgoing connections as well as internal connections to those
necessary for business purposes, proxy servers that inspect incoming and
outgoing packets for indicators of malicious code and block access to known or
suspected malware distribution servers, filtering to protect against attacks such
as cross-site scripting and SQL injection.
 At user level: User education in awareness, safe computing practices, indicators
of malicious code, and response actions.
Enterprise security administrative features may be used daily to check the number
of systems that do not have the latest anti-malware signatures. All malware
detection events should be sent to enterprise anti-malware administration tools
and event log servers.
Banks should employ anti-malware software and signature auto update features to
automatically update signature files and scan engines whenever the vendor
publishes updates. After applying an update, automated systems should verify that
each system has received its signature update. The bank should monitor anti-virus
console logs to correct any systems that failed to be updated. The systems
deployed for client security should be delivering simplified administration through
central management and providing critical visibility into threats and vulnerabilities.
It should also integrate with existing infrastructure software, such as Active
Directory for enhanced protection and greater control.

Administrators should not rely solely on AV software and email filtering to detect
worm infections. Logs from firewalls, intrusion detection and prevention sensors,
DNS servers and proxy server logs should be monitored on a daily basis for signs
of worm infections including but not limited to:

Outbound SMTP connection attempts from anything other than a bank’s

SMTP mail gateways
Excessive or unusual scanning on TCP and UDP ports 135-139 and 445
Connection attempts on IRC or any other ports that are unusual for the
environment
Excessive attempts from internal systems to access non-business web
sites
Excessive traffic from individual or a group of internal systems
Excessive DNS queries from internal systems to the same host name and
for known “nonexistent” host names. Using a centralized means such as
a syslog host to collect logs from various devices and systems can help in
the analysis of the information

Banks should configure laptops, workstations, and servers so that they do not
auto-run content from USB tokens, USB hard drives, CDs/DVDs, external SATA
devices, mounted network shares, or other removable media.

Banks should configure systems so that they conduct an automated antimalware

scan of removable media when it is inserted.
Banks can also consider deploying the Network Access Control (NAC) tools to
verify security configuration and patch level compliance of devices before granting
access to a network. Network Admission Control (NAC) restricts access to the
network based on the identity or security posture of an organization. When NAC is
implemented, it will force a user or a machine seeking network access for
authentication prior to granting actual access to the network. A typical (non-free)
WiFi connection is a form of NAC. The user must present some sort of credentials
(or a credit card) before being granted access to the network. The network
admission control systems allow noncompliant devices to be denied access,
placed in a quarantined area, or given restricted access to computing resources,
thus keeping insecure nodes from infecting the network. The key component of the
Network Admission Control program is the Trust Agent, which resides on an
endpoint system and communicates with routers on the network. The information is
then relayed to a Secure Access Control Server (ACS) where access control
decisions are made. The ACS directs the router to perform enforcement against
the endpoint.

Email Attachment Filtering - Banks should filter various attachment types at the
email gateway, unless required for specific business use. Some examples
include .ade .cmd .eml .ins .mdb .mst .reg .url .wsf .adp .com .exe .isp .mde .pcd .s
cr .vb .wsh .bas .cpl
.hlp .js .msc .pif .sct .vbe .bat .crt .hta .jse .msi .pl .scx .vbs .chm .dll .inf.lnk .msp .p
ot

.shs .wsc… etc. Banks should consider only allowing file extensions with a
documented business case and filtering all others.

Patch Management:

A Patch Management process needs to be in place to address technical system

and software vulnerabilities quickly and effectively in order to reduce the likelihood
of a serious business impact arising.

There should be documented standards / procedures for patch management. The

standards / procedures for patch management should include a method of defining
roles and responsibilities for patch management, determining the importance of
systems (for e.g., based on the information handled, the business processes
supported and the environments in which they are used) , recording patches that
have been applied (for e.g., using an inventory of computer assets including their
patch level).
The patch management process should include aspects like:
Determining methods of obtaining and validating patches for ensuring
that the patch is from an authorised source
Identifying vulnerabilities that are applicable to applications and systems
used by the organisation
Assessing the business impact of implementing patches (or not
implementing a particular patch)
 Ensuring patches are tested
Describing methods of deploying patches, for example, through
automated manner
Reporting on the status of patch deployment across the
organisation Including methods of dealing with the failed
deployment of a patch (e.g., redeployment of the patch).
Methods should be established to protect information and systems if no patch is
available for an identified vulnerability, for example, disabling services and adding
additional access controls.Organizations should deploy automated patch
management tools and software update tools for all systems for which such tools
are available and safe.
Organizations should measure the delay in patching new vulnerabilities and
ensure the delay is not beyond the benchmarks set forth by the organization,
which should be less for critical patches, say not more than a week, unless a
mitigating control that blocks exploitation is available.

Critical patches must be evaluated in a test environment before being updated into
production on enterprise systems. If such patches break critical business
applications on test machines, the organization must devise other mitigating
controls that block exploitation on systems where the patch is difficult to be
deployed because of its impact on business functionality.

Change Management:

A change management process should be established, which covers all types of

change. For example, upgrades and modifications to application and software,
modifications to business information, emergency ‘fixes’, and changes to the
computers / networks that support the application.
The change management process should be documented, and include approving
and testing changes to ensure that they do not compromise security controls,
performing changes and signing them off to ensure they are made correctly and
securely, reviewing completed changes to ensure that no unauthorised changes
have been made.
The following steps should be taken prior to changes being applied to the live
environment:

Change requests should be documented (e.g., on a change request form) and

accepted only from authorised individuals and changes should be approved by an
appropriate authority
 The potential business impacts of changes should be assessed (for e.g., in
terms of the overall risk and impact on other components of the application)
Changes should be tested to help determine the expected results (for e.g.,
deploying the patch into the live environment)

Changes should be reviewed to ensure that they do not compromise security

controls (e.g., by checking software to ensure it does not contain malicious
code, such as a trojan horse or a virus)
Back-out positions should be established so that the application can recover
from failed changes or unexpected results

Changes to the application should be performed by skilled and competent

individuals who are capable of making changes correctly and securely and signed
off by an appropriate business official.

Audit trails

Banks needs to ensure that audit trails exist for IT assets satisfying the banks
business requirements including regulatory and legal requirements, facilitating
audit, serving as forensic evidence when required and assisting in dispute
resolution. This could include, as applicable, various areas like transaction with
financial consequences, the opening, modifications or closing of customer
accounts, modifications in sensitive master data, accessing or copying of sensitive
data/information; and granting, modification or revocation of systems access rights
or privileges for accessing sensitive IT assets.
Audit trails should be secured to ensure the integrity of the information captured,
including the preservation of evidence. Retention of audit trails should be in line
with business, regulatory and legal requirements.

Some considerations for securing the integrity of log files include :

Encrypting log files that contain sensitive data or that are transmitting
over the network
Ensuring adequate storage capacity to avoid gaps in data gathering
Securing back-up and disposal of log files
Logging the data to write-only media like a write-once/read-many
(WORM) disk or drive
Setting logging parameters to disallow any modification to previously
written data As indicated earlier, network and host activities typically are recorded
on the host and sent across the network to a central logging facility which may
process the logging data into a common format. The process, called normalization,
enables timely and effective log analysis.
Other aspects related to logging to be considered include:
All remote access to an internal network, whether through VPN, dial-up,
or other mechanism, should be logged verbosely

Operating systems should be configured to log access control events

associated with a user attempting to access a resource like a file or
directory without the appropriate permissions
Security personnel and/or administrators designated in this regard should
identify anomalies in logs and actively review the anomalies, documenting
their findings on an ongoing basis
Each bank can consider at least two synchronized time sources are
available in their network from which all servers and network equipment
retrieve time information on a regular basis, so that timestamps in logs
are consistent

Network boundary devices, including firewalls, network-based IPSs, and

inbound and outbound proxies may be configured to log verbosely all
traffic (both allowed and blocked) arriving at the device
Given the multiplicity of devices and systems, banks should consider deploying a
Security Information and Event Management (SIEM) system tool for log
aggregation and consolidation from multiple machines/systems and for log
correlation and analysis, as indicated earlier in the chapter. Furthermore, event
logs may be correlated with information from vulnerability scans to fulfill two goals.
First, personnel should verify that the activity of the regular vulnerability scanning
tools themselves is logged. And, secondly, personnel should be able to correlate
attack detection events with earlier vulnerability scanning results to determine
whether the given exploit was used against a known-vulnerable target.

E-banking systems should be designed and installed to capture and maintain

forensic evidence in a manner that maintains control over the evidence, and
prevents tampering and the collection of false evidence.
In instances where processing systems and related audit trails are the
responsibility of a thirdparty service provider, the bank should ensure that it has
access to relevant audit trails maintained by the service provider apart from
ensuring that the audit trails maintained by the service provider meet the bank's
standards.

Information security reporting and metrics

Security monitoring arrangements should provide key decision-makers and Senior

Management/Board of Directors with an informed view of aspects like the
effectiveness and efficiency of information security arrangements, areas where
improvement is required, information and systems that are subject to an
unacceptable level of risk, performance against quantitative, objective targets,
actions required to help minimize risk (e.g., reviewing the organization’s risk
appetite, understanding the information security threat environment and
encouraging business and system owners to remedy unacceptable risks).

There should be arrangements for monitoring the information security condition of

the organisation, which are documented, agreed with top management and
performed regularly. Information generated by monitoring the information security
condition of the organization should be used to measure the effectiveness of the
information security strategy, information security policy and security architecture.
Analysis performed as part of security monitoring and reporting arrangement may
include, interalia, the following:
Details relating to information security incidents and their impact
Steps taken for non-recurrence of such events in the future
Major Internal and external audit/vulnerability assessment/penetration test
findings and remediation status
Operational security statistics, such as firewall log data, patch management
details and number of spam e-mails
Costs associated with financial losses, legal or regulatory penalties and risk
profile(s)

Progress against security plans/strategy

Capacity and performance analysis of security systems
Infrastructure and software analysis
Fraud analysis

Information collected as part of security reporting arrangements should include

details about all aspects of information risk like criticality of information, identified
vulnerabilities and level of threats, potential business impacts and the status of
security controls in place. Information about the security condition of the
organisation should be provided to key decision-makers/stake holders like the
Board, top management, members of Information Security Committee, and
relevant external bodies like regulator as required.

Metrics can be an effective tool for security managers to discern the effectiveness
of various components of their security policy and programs, the security of a
specific system, product or process, effectiveness and efficiency of security
services delivery, the impact of security events on business processes and the
ability of staff or departments within an organization to address security issues for
which they are responsible. Additionally, they may be used to raise the level of
security awareness within the organization. The measurement of security
characteristics can allow management to increase control and drive further
improvements to the security procedures and processes.
Each dimension of the IT security risk management framework can be measured
by at least one metric to enable the monitoring of progress towards set targets and
the identification of trends. The use of metrics needs to be targeted towards the
areas of greatest criticality. Generally, it is suggested that effective metrics need to
follow the SMART acronym i.e. specific, measurable, attainable, repeatable and
time-dependent.
In addition, a comprehensive set of metrics that provide for prospective and
retrospective measures, like key performance indicators and key risk indicators,
can be devised.
The efficacy of a security metrics system in mitigating risk depends on
completeness and accuracy of the measurements and their effective analysis. The
measurements should be reliable and sufficient to justify security decisions that
affect the institution’s security posture, allocate resources to security-related tasks,
and provide a basis for security-related reports.
Some illustrative metrics include coverage of anti-malware software and their
updation percentage, patch latency, extent of user awareness training, vulnerability
related metrics, etc.

Information security and Critical service providers/vendors

Banks use third-party service providers in a variety of different capacities. It can be

an Internet service provider (ISP), application or managed service provider
(ASP/MSP) or business service provider (BSP). These providers may often
perform important functions for the bank and usually may require access to
confidential information, applications and systems.
When enterprises use third parties, they can become a key component in an
enterprise’s controls and its achievement of related control objectives.
Management should evaluate the role that the third party performs in relation to the
IT environment, related controls and control objectives.

The effectiveness of third-party controls can enhance the ability of an enterprise to

achieve its control objectives. Conversely, ineffective third-party controls can
weaken the ability of a bank to achieve its control objectives. These weaknesses
can arise from many sources including gaps in the control environment arising
from the outsourcing of services to the third party, poor control design, causing
controls to operate ineffectively, lack of knowledge and/or inexperience of
personnel responsible for control functions and over-reliance on the third party’s
controls (when there are no compensating controls within the enterprise).
Third-party providers can affect an enterprise (including its partners), its
processes, controls and control objectives on many different levels. This includes
effects arising from such things as economic viability of the third-party provider,
third-party provider
access to information that is transmitted through their communication systems and
applications, systems and application availability, processing integrity, application
development and change management processes and the protection of systems
and information assets through backup recovery, contingency planning and
redundancy.

The lack of controls and/or weakness in their design, operation or effectiveness

can lead to consequences like loss of information confidentiality and privacy,
systems not being available for use when needed, unauthorized access and
changes to systems, applications or data, changes to systems, applications or data
occurring that result in system or security failures, loss of data, loss of data
integrity, loss of data protection, or system unavailability, loss of system resources
and/or information assets and Increased costs incurred by the enterprise as a
result of any of the above.
The relationship between the enterprise and a third-party provider should be
documented in the form of an executed contract. The various details and
requirements on the matter are covered under chapter on “IT outsourcing”.

Network Security

Protection against growing cyber threats requires multiple layers of defenses,

known as defense in depth. As every organization is different, this strategy should
therefore be based on a balance between protection, capability, cost, performance,
and operational considerations. Defense in depth for most organizations should at
least consider the following two areas:
Protecting the enclave boundaries or perimeter
Protecting the computing environment.
The enclave boundary is the point at which the organization’s network interacts
with the Internet. To control the flow of traffic through network borders and to police
its content looking for attacks and evidence of compromised machines, boundary
defenses should be multi-layered, relying on firewalls, proxies, DMZ perimeter
networks, and network-based Intrusion Prevention Systems and Intrusion
Detection Systems.
It should be noted that boundary lines between internal and external networks are
diminishing through increased interconnectivity within and between organizations
and use of wireless systems. These blurring lines sometimes allow attackers to
gain access inside networks while bypassing boundary systems. However, even
with this blurring, effective security deployment still rely on carefully configured
boundary defenses that separate networks with different threat levels, different
sets of users, and different levels of control. Effective multi-layered defenses of
perimeter networks help to lower the number of successful attacks, allowing
security personnel to focus on attackers who have devised methods to bypass
boundary restrictions.

An effective approach to securing a large network involves dividing the network

into logical security domains. A logical security domain is a distinct part of a
network with security policies that differ from other domains and perimeter controls
enforcing access at a network level. The differences may be far broader than
network controls, encompassing personnel, host, and other issues. Before
establishing security domains, banks need to map and configure the network to
identify and control all access points. Network configuration considerations could
include the following actions:
Identifying the various applications and systems accessed via the network
Identifying all access points to the network including various
telecommunications channels like ethernet, wireless, frame relay, dedicated
lines, remote dial-up access, extranets, internet

Mapping the internal and external connectivity between various network

segments
Defining minimum access requirements for network services
Determining the most appropriate network configuration to ensure adequate
security and performance for the bank

With a clear understanding of network connectivity, banks can avoid introducing

security vulnerabilities by minimizing access to less-trusted domains and
employing encryption and other controls for less secure connections. Banks can
then determine the most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to restrict access.
Some applications and business processes may require complete segregation
from the corporate network, for example, preventing connectivity between
corporate network and wire transfer system. Others may restrict access by placing
the services that must be accessed by each zone in their own security domain,
commonly called a De-Militarized Zone.

Security domains are bounded by perimeters. Typical perimeter controls include

firewalls that operate at different network layers, malicious code prevention,
outbound filtering, intrusion detection and prevention devices, and controls over
infrastructure services such as DNS. The perimeter controls may exist on separate
devices or be combined or consolidated on one or more devices. Consolidation on
a single device could improve security by reducing administrative overhead.
However, consolidation may increase risk through a reduced ability to perform
certain functions and the existence of a single point of failure. A few network
protection devices are briefly explained as under:
 Firewalls: The main purpose of a firewall is access control. By limiting inbound
(from the Internet to the internal network) and outbound communications (from
the internal network to the Internet), various attack vectors can be reduced.
Firewalls may provide additional services like Network Address Translation and
Virtual Private Network Gateway.

Financial institutions have four primary firewall types from which to choose:
packet filtering, stateful inspection, proxy servers, and application-level firewalls.
Any product may have characteristics of one or more firewall types. The
selection of a firewall type is dependent on many characteristics of the security
zone, such as the amount of traffic, the sensitivity of the systems and data, and
applications.

Packet Filter Firewalls

Packet filter firewalls evaluate the headers of each incoming and outgoing packet to
ensure it has a valid internal address, originates from a permitted external address,
connects to an authorized protocol or service, and contains valid basic header
instructions. If the packet does not match the pre -defined policy for allowed traffic, then
the firewall drops the packet. Packet filters generally do not analyze the packet
contents beyond the header information. Among the major weaknesses associated with
packet filtering firewalls include inability to prevent attacks that exploit
applicationspecific vulnerabilities and functions because the packet filter does not
examine packet contents and logging functionality is limited to the same information
used to make access control decisions.

Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that monitor the state of the TCP
connection. Each TCP session starts with an initial “handshake” communicated through
TCP flags in the header information. When a connection is established the firewall adds
the connection information to a table. The firewall can then compare future packets to
the connection or state table. This essentially verifies that inbound traffic is in response
to requests initiated from inside the firewall.

Proxy Server Firewalls

Proxy servers act as an intermediary between internal and external IP addresses and
block direct access to the internal network. Essentially, they rewrite packet headers to
substitute the IP of the proxy server for the IP of the internal machine and forward
packets to and from the internal and external machines. Due to that limited capability,
proxy servers are commonly employed behind other firewall devices. The primary
firewall receives all traffic, determines which application is being targeted, and hands
off the traffic to the appropriate
proxy server. Common proxy servers are the domain name server (DNS), Web server
(HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and
responses, providing potential performance benefits. Additionally, proxy servers provide
another layer of access control by segregating the flow of Internet traffic to support
additional authentication and logging capability, as well as content filtering. Web and e-
mail proxy servers, for example, are capable of filtering for potential malicious code and
application -specific commands. Proxy servers are increasing in importance as
protocols are tunnelled through other protocols.

Application-Level Firewalls

Application-level firewalls perform application-level screening, typically including the

filtering capabilities of packet filter firewalls with additional validation of the packet
content based on the application. Application-level firewalls capture and compare
packets to state information in the connection tables. Unlike a packet filter firewall, an
application level firewall continues to examine each packet after the initial connection is
established for specific application or services such as telnet, FTP, SMTP, etc. The
application- level firewall can provide additional screening of the packet payload for
commands, protocols, packet length, authorization, content, or invalid headers.
Application level firewalls provide the strongest level of security.

Firewall Policy

A firewall policy states management’s expectation for how the firewall should function
and is a component of the overall security management framework. Acceptable
inbound communication types for the organization need to be explicitly defined in the
firewall policies. As the firewall is usually one of the first lines of defense, access to the
firewall device itself needs to be strictly controlled.

At a minimum, the policy should address various aspects like Firewall topology and
architecture and type of firewalls being utilized, physical placement of the firewall
components, permissible traffic and monitoring firewall traffic, firewall updating,
coordination with security monitoring and intrusion response mechanisms,
responsibility for monitoring and enforcing the firewall policy, protocols and applications
permitted, regular auditing of a firewall’s configuration and testing of the firewall’s
effectiveness, and contingency planning.

Firewalls should not be relied upon, however, to provide full protection from attacks.
Banks should complement firewalls with strong security policies and a range of other
controls. In fact, firewalls are potentially vulnerable to attacks including spoofing trusted
IP addresses, denial of service by overloading the firewall with excessive requests or
malformed packets, sniffing of data that is being transmitted outside the network,
hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall
rules, etc. Banks can reduce their vulnerability to these attacks through network
configuration and design, sound implementation of its firewall architecture that includes
multiple filter points, active firewall monitoring and management, and integrated
security monitoring. In many cases, additional access controls within the operating
system or application will provide additional means of defense.

Given the importance of firewalls as a means of access control, good firewall related
practices include:

Using a rule set that disallows all inbound and outbound traffic that is not
specifically allowed Using NAT and split DNS to hide internal system names and
addresses from external networks
Using proxy connections for outbound HTTP connections and filtering malicious
code

Hardening the firewall by removing all unnecessary services and appropriately

patching, enhancing, and maintaining all software on the firewall unit

Restricting network mapping capabilities through the firewall, primarily by

blocking inbound ICMP (Internet Control Messaging Protocol) traffic

Backing up firewalls to internal media and not backing up the firewall to servers
on protected networks
Logging activity, with daily administrator review and limiting administrative
access to few individuals
Using security monitoring devices and practices to monitor actions on the
firewall and to monitor communications allowed through the firewall

Administering the firewall using encrypted communications and strong

authentication, accessing the firewall only from secure devices, and monitoring
all administrative access Making changes only through well-administered
change control procedures.
The firewall also needs to be configured for authorized outbound network traffic. In the
case of a compromised host inside the network, outbound or egress filtering can
contain that system and prevent it from communicating outbound to their controller – as
in the case with botnets. Often times, firewalls default to allowing any outbound traffic,
therefore, organizations may need to explicitly define the acceptable outbound
communication policies for their networks. In most cases the acceptable outbound
connections would include SMTP to any address from only your SMTP mail
gateway(s), DNS to any address from an internal DNS server to resolve external host
names, HTTP and HTTPS from an internal proxy server for users to browse web sites,
NTP to specific time server addresses from an internal time server(s), any ports
required by Anti-Virus, spam filtering, web filtering or patch management software to
only the appropriate vendor address(es) to pull down updates and any other rule where
the business case is documented and signed off by appropriate management.

Perimeters may contain proxy firewalls or other servers that act as a control point for
Web browsing, e-mail, P2P, and other communications. Those firewalls and servers
frequently are used to enforce the institution’s security policy over incoming
communications. Enforcement is through anti-virus, antispyware, and anti-spam
filtering, the blocking of downloading of executable files, and other actions. To the
extent that filtering is done on a signature basis, frequent updating of the signatures
may be required, as had been explained earlier.

Perimeter servers also serve to inspect outbound communications for compliance with
the institution’s security policy. Perimeter routers and firewalls can be configured to
enforce policies that forbid the origination of outbound communications from certain
computers. Additionally, proxy servers could be configured to identify and block
customer data and other data that should not be transmitted outside the security
domain.

b) Intrusion Detection Systems (IDS)

The goal of an IDS is to identify network traffic in near real time. Most IDSs use
signatures to detect port scans, malware, and other abnormal network
communications. The ideal placement of an IDS is external to the organization as well
as internally, just behind the firewall. This would enable a bank to view the traffic
approaching the organization as well as the traffic that successfully passed through the
firewall. Conversely, there will be visibility on internal traffic trying to communicate
externally to the network – particularly useful for situations where malicious activity
originates from inside the firewall.
To use a network IDS (NIDS) effectively, an institution should have a sound
understanding of the detection capability and the effect of placement, tuning, and other
network defences on the detection capability.
The signature-based detection methodology reads network packets and compares the
content of the packets against signatures, or unique characteristics, of known attacks.
When a match is recognized between current readings and a signature, the IDS
generates an alert. A weakness in the signaturebased detection method is that a
signature must exist for an alert to be generated. Signatures are written to either
capture known exploits, or to alert to suspected vulnerabilities. Vulnerability-based
detection is generally broad based, alerting on many exploits for the same vulnerability
and potentially alerting on exploits that are not yet known which is not the case with
exploit-based signatures which may be based on specific exploits only and may not
alert when a new or previously unknown exploit is attempted.

This problem can be particularly acute if the institution does not continually update its
signatures to reflect lessons learned from attacks on itself and others, as well as
developments in attack tool technologies. It can also pose problems when the
signatures only address known attacks. Another weakness is in the capacity of the
NIDS to read traffic. If the NIDS falls behind in reading network packets, traffic may be
allowed to bypass the NIDS. Such traffic may contain attacks that would otherwise
cause the NIDS to issue an alert.

The anomaly -based detection method generally detects deviations from a baseline.
The baseline can be either protocol- based, or behaviour-based. The protocol-based
baseline detects differences between the detected packets for a given protocol and the
Internet’s RFCs (Requests for Comment) pertaining to that protocol. For example, a
header field could exceed the RFC-established expected size.

The behaviour -based anomaly detection method creates a statistical profile of normal
activity on the host or network. Normal activity generally is measured based on the
volume of traffic, protocols in use, and connection patterns between various devices.
Benchmarks for activity are established based on that profile. When current activity
exceeds the identified boundaries, an alert is generated. Weaknesses in this system
involve the ability of the system to accurately model activity, the relationship between
valid activity in the period being modelled and valid activity in future periods, and the
potential for malicious activity to take place while the modelling is performed. This
method is best employed in environments with predictable, stable activity.

Anomaly detection can be an effective supplement to signature- based methods by

signalling attacks for which no signature yet exists. Proper placement of NIDS sensors
is a strategic decision determined by the information the bank is trying to obtain.
Placement outside the firewall will deliver IDS alarms related to all attacks, even those
that are blocked by the firewall. With this information, an institution can develop a
picture of potential adversaries and their expertise based on the probes they issue
against the network.

Because the placement is meant to gain intelligence on attackers rather than to alert on
attacks, tuning generally makes the NIDS less sensitive than if it is placed inside the
firewall. A NIDS outside the firewall will generally alert on the greatest number of
unsuccessful attacks while NIDS monitoring behind the firewall is meant to detect and
alert on hostile intrusions. Multiple NIDS units can be used, with placement determined
by the expected attack paths to sensitive data. In general, the closer the NIDS is to
sensitive data, the more important the tuning, monitoring, and response to NIDS alerts.
It is generally recommended that NIDS can be placed at any location where network
traffic from external entities is allowed to enter controlled or private networks.

“Tuning” refers to the creation of signatures and alert filters that can distinguish
between normal network traffic and potentially malicious traffic apart from involving
creation and implementation of different alerting and logging actions based on the
severity of the perceived attack. Proper tuning is essential to both reliable detection of
attacks and the
enabling of a priority-based response. If IDS is not properly tuned, the volume of alerts
it generates may degrade the intrusion identification and response capability.

Switched networks pose a problem for a network IDS since the switches ordinarily do
not broadcast traffic to all ports while NIDS may need to see all traffic to be effective.
When switches do not have a port that receives all traffic, a bank may have to alter its
network to include a hub or other device to allow the IDS to monitor traffic. Encryption
poses a potential limitation for a NIDS. If traffic is encrypted, the NIDS’s effectiveness
may be limited to anomaly detection based on unencrypted header information. This
limitation can by overcome by decrypting packets within the IDS at rates
commensurate with the flow of traffic. Decryption is a device-specific feature that may
not be incorporated into all NIDS units.

All NIDS detection methods result in false positives (alerts where no attack exists) and
false negatives (no alert when an attack does take place). While false negatives are
obviously a concern, false positives can also hinder detection. When security personnel
are overwhelmed with the number of false positives, their review of NIDS reports may
be less effective thereby allowing real attacks to be reported by the NIDS but not
suitably acted upon. Additionally, they may tune the NIDS to reduce the number of false
positives, which may increase the number of false negatives. Risk-based testing is
necessary in this regard to ensure the detection capability is adequate.

c) Network Intrusion Prevention Systems

Network Intrusion Prevention Systems (NIPS) are an access control mechanism that
allow or disallow access based on an analysis of packet headers and packet payloads.
They are similar to firewalls because they are located in the communications line,
compare activity to pre-configured decisions of the type of packets to filter or block, and
respond with pre-configured actions. The IPS units generally detect security events in a
manner similar to IDS units and are subject to the same limitations. After detection,
however, the IPS unit have the capability to take actions beyond simple alerting to
potential malicious activity and logging of packets such as blocking traffic flows from an
offending host. The ability to sever communications can be useful when the activity can
clearly be identified as malicious. When the activity cannot be clearly identified, for
example where a false positive may exist, IDS-like alerting commonly is preferable to
blocking. Although IPS units are access control devices, many of these units implement
a security model that is different from firewalls. Firewalls typically allow only the traffic
necessary for business purposes, or only “known good” traffic. IPS units typically are
configured to disallow traffic that triggers signatures, or “known bad” traffic, while
allowing all else. However, IPS units can be configured to more closely mimic a device
that allows only “known good” traffic. IPS units also contain a “white list” of IP
addresses that should never be blocked. The list helps ensure that an attacker cannot
achieve a denial of service by spoofing the IP of a critical host.

d) Quarantine

Quarantining a device protects the network from potentially malicious code or actions.
Typically, a device connecting to a security domain is queried for conformance to the
domain’s security policy. If the device does not conform, it is placed in a restricted part
of the network until it does conform. For example, if the patch level is not current, the
device is not allowed into the security domain until the appropriate patches are
downloaded and installed.

e) DNS Placement

Effective protection of the institution’s DNS servers is critical to maintaining the security
of the institution’s communications. Much of the protection is provided by host security
However, the placement of the DNS also is an important factor. The optimal placement
is split DNS, where one firewalled DNS server serves public domain information to the
outside
and does not perform recursive queries, and a second DNS server, in an internal
security domain and not the DMZ, performs recursive queries for internal users.

Improving the security of networks

In addition to the above, the following are among the factors that need to be followed
for improving the security of networks:

Inventory of authorized and unauthorized devices and software.

Secure Configurations/hardening for all hardware and software on
Laptops, Workstations, and Servers and Network Devices such as
Firewalls, Routers and Switches. Configuration management begins
with well-tested and documented security baselines for various
systems. There need to be documented security baselines for all types
of information systems.

Identifying all connections to critical networks and conducting risk

analysis including necessity for each connection. All unnecessary
connections to critical networks to be disconnected.
Implementation of the security features recommended by device and
system vendors.
Establishing strong controls over any medium that is used as a
backdoor into the critical network. If backdoors or vendor connections
do exist in critical systems, strong authentication must be implemented
to ensure secure communications. Implementation of internal and
external intrusion detection system, incident response system and
establishing 24x7 incident monitoring

Performing technical audits including vulnerability assessment of

critical devices and networks, and any other connected networks, to
identify security concerns Conducting physical security surveys and
assessing all remote sites connected to the critical network to evaluate
their security. Any location that has a connection to the critical network
is a target, especially unmanned or unguarded remote sites. There is
also a need to identify and assess any source of information including
remote telephone / computer network / fiber optic cables that could be
tapped; radio and microwave links that are exploitable; computer
terminals that could be accessed; and wireless local area network
access points. Identify and eliminate single points of failure.
 Establishing critical "Red Teams" to identify and evaluate possible
attack scenarios. There is a need to feed information resulting from
the "Red Team" evaluation into risk management processes to assess
the information and establish appropriate protection strategies.

Documenting network architecture and identifying systems that serve

critical functions or contain sensitive information that require additional
levels of protection.
Establishing a rigorous, ongoing risk management process.
Establishing a network protection strategy and layered security based
on the principle of defense-in-depth is an absolute necessity for
banks. This would require suitable measures to address vulnerabilities
across the hardware, operating system, middleware, database,
network and application layers. Security is not an event but a process
which requires all its various components to be functioning well
together for their effectiveness. Additionally, each layer must be
protected against other systems at the same layer. For example, to
protect against insider threat, restrict users to access only those
resources necessary to perform their job functions.
m. Establishing system backups and disaster recovery plans. Establish a
disaster recovery plan that allows for rapid recovery from any
emergency (including a cyber attack).

Establishing policies and conducting training to minimize the likelihood

that organizational personnel would inadvertently disclose sensitive
information regarding critical system design, operations, or security
controls through social engineering attempts. Any requests for
information by unknown persons need to be sent to a central network
security location for verification and fulfillment. People can be a weak
link in an otherwise secure network, as had been indicated earlier in
the chapter.
Network control functions should be performed by individuals
possessing adequate training and experience. Network control
functions should be separated, and the duties should be rotated on a
regular basis, where possible. Network control software must restrict
operator access from performing certain functions (e.g., the ability to
amend/delete operator activity logs).
Network control software should maintain an audit trail of all operator
activities. Audit trails should be periodically reviewed by operations
management to detect any unauthorized network operations activities.

Network operation standards and protocols should be documented

and made available to the operators, and should be reviewed
periodically to ensure compliance.
 Network access by system engineers should be monitored and
reviewed closely to detect unauthorized access to the network.
Another important security improvement is the ability to identify users
at every step of their activity. Some application packages use
predefined user id. New monitoring tools have been developed to
resolve this problem.

Remote Access:

Banks may sometimes provide employees, vendors, and others with access to the
institution’s network and computing resources through external connections. Those
connections are typically established through modems, the internet, or private
communications lines. The access may be necessary to remotely support the
institution’s systems or to support institution operations at remote locations. In
some cases, remote access may be required periodically by vendors to make
emergency programme fixes or to support a system.

Remote access to a bank’s provides an attacker with the opportunity to manipulate

and subvert the bank’s systems from outside the physical security perimeter. The
management should establish policies restricting remote access and be aware of
all remote-access devices attached to their systems. These devices should be
strictly controlled.

Good controls for remote access include the following actions:

Disallowing remote access by policy and practice unless a compelling business
need exists and requiring management approval for remote access
Regularly reviewing remote access approvals and rescind those that no longer
have a compelling business justification
Appropriately configuring and securing remote access devices
Appropriately and in a timely manner patching, updating and maintaining all
software on remote access devices
Using encryption to protect communications between the access device and
the institution and to protect sensitive data residing on the access device
Periodically auditing the access device configurations and patch levels

Using VLANs, network segments, directories, and other techniques to restrict

remote access to authorized network areas and applications within the
institution
Logging remote access communications, analyzing them in a timely manner,
and following up on anomalies
 Centralize modem and Internet access to provide a consistent authentication
process, and to subject the inbound and outbound network traffic to appropriate
perimeter protections and network monitoring
Logging and monitoring the date, time, user, user location, duration, and
purpose for all remote access including all activities carried out through remote
access

Requiring a two-factor authentication process for remote access (e.g., PIN

based token card with a one-time random password generator, or token based
PKI)
Implementing controls consistent with the sensitivity of remote use. For
example, remote use to administer sensitive systems or databases may include
the controls like restricting the use of the access device by policy and
configuration, requiring authentication of the access device itself and
ascertaining the trustworthiness of the access device before granting access

If remote access is through modems the following steps should be taken:

Require an operator to leave the modems unplugged or disabled by default, to

enable modems only for specific and authorized external requests, and disable
the modem immediately when the requested purpose is completed

Configure modems not to answer inbound calls, if modems are for outbound
use only Use automated callback features so the modems only call one
number although this is subject to call forwarding schemes
Install a modem bank where the outside number to the modems uses a different
prefix than internal numbers and does not respond to incoming calls

While using TCP/IP Internet-based remote access, organizations need to establish

a virtual private network over the Internet to securely communicate data packets
over this public infrastructure. Available VPN technologies apply the Internet
Engineering Task Force (IETF) IPSec security standard advantages are their
ubiquity, ease of use, inexpensive connectivity, and read, inquiry or copy only
access. Disadvantages include the fact that they are significantly less reliable than
dedicated circuits, lack a central authority, and can have troubleshooting problems.

Banks need to be aware that using VPNs to allow remote access to their systems
can create holes in their security infrastructure. The encrypted traffic can hide
unauthorized actions or malicious software that can be transmitted through such
channels. Intrusion detection systems and virus scanners able to decrypt the traffic
for analysis and then encrypt and forward it to the VPN endpoint should be
considered as preventive controls. A good practice will terminate all VPNs to the
same end-point in a so called VPN concentrator, and will not accept VPNs directed
at other parts of the network.
Distributed Denial of service attacks(DDoS/DoS):

Banks providing internet banking should be responsive to unusual

network traffic conditions/system performance and sudden surge in
system resource utilization which could be an indication of a DDoS attack.
Consequently, the success of any pre-emptive and reactive actions
depends on the deployment of appropriate tools to effectively detect,
monitor and analyze anomalies in networks and systems.

As part of the defence strategy, banks should install and configure

network security devices discussed earlier in the chapter for reasonable
preventive/detective capability. Potential bottlenecks and single points of
failure vulnerable to DDoS attacks could be identified through source
code
review, network design analysis and configuration testing. Addressing
these vulnerabilities would improve resilience of the systems.

Banks can also consider incorporating DoS attack considerations in their

ISP selection process. An incident response framework should be devised
and validated periodically to facilitate fast response to a DDoS onslaught
or an imminent attack. Banks may also need to be familiar with the ISPs’
incident response plans and suitably consider them as part of their
incident response framework. To foster better coordination, banks should
establish a communication protocol with their ISPs and conduct periodic
joint incident response exercises.

Implementation of ISO 27001 Information Security Management

System

Commercial banks should implement Information Security Management System

(ISMS) best practices for their critical functions/processes.

The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and
related standards published jointly by ISO and IEC. ISO 27001 is concerned with
how to implement, monitor, maintain and continually improve an Information
Security Management System while ISO 27002 provides detailed steps or a list
of security measures which can be used when building an ISMS. Other
frameworks such as COBIT and ITIL though incorporate security aspects, but
are mainly geared toward creating a governance framework for information and
IT more generally. As with all management processes, an ISMS must remain
effective and efficient in the long term, adapting to changes in the internal
organization and external environment. ISO/IEC 27001, thus, incorporates the
typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
 The Plan phase is about designing the ISMS, assessing information security
risks and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase objective is to review and evaluate the performance
(efficiency and effectiveness) of the ISMS.

In the Act phase, changes are made where necessary to bring the ISMS
back to peak performance.
An ISMS developed and based on risk acceptance/rejection criteria, and using
third party accredited certification to provide an independent verification of the
level of assurance, is an extremely useful management tool. It offers the
opportunity to define and monitor service levels internally as well as with
contractor/partner organizations, thus demonstrating the extent to which there is
effective control of security risks.

Further, a bank should also regularly assess the comprehensiveness of its

information security risk management framework by comparison to peers and
other established control frameworks and standards including any security
related frameworks issued by reputed institutions like IDRBT or DSCI.
While implementing ISO 27001 and aspects from other relevant standards,
banks should be wary of a routine checklist kind of mindset but ensure that the
security management is dynamic in nature through proactively scanning the
environment for new threats and suitably attuned to the changing milieu.

Wireless Security

Wireless networks security is a challenge since they do not have a well-defined

perimeter or well-defined access points. It includes all wireless data
communication devices like personal computers, cellular phones, PDAs, etc.
connected to a bank’s internal networks.
Unlike wired networks, unauthorized monitoring and denial of service attacks can
be performed without a physical wire connection. Additionally, unauthorized
devices can potentially connect to the network, perform man-in-the- middle
attacks, or connect to other wireless devices. To mitigate those risks, wireless
networks rely on extensive use of encryption to authenticate users and devices
and to shield communications. If a bank uses a wireless network, it should
carefully evaluate the risk and implement appropriate additional controls.
Examples of additional controls may include one or more of the following:

Treating wireless networks as untrusted networks, allowing access through

protective devices similar to those used to shield the internal network from
the Internet environment
 Using end-to-end encryption in addition to the encryption provided by the
wireless connection
Using strong authentication and configuration controls at the access points
and on all clients
Using an application server and dumb terminals

Shielding the area in which the wireless LAN operates to protect against
stray emissions and signal interference
Monitoring and responding to unauthorized wireless access points and
clients

All wireless Access Points / Base Stations connected to the corporate network
must be registered and approved by Information Security function of a bank. These
Access Points / Base Stations need to subjected to periodic penetration tests and
audits. Updated inventory on all wireless Network Interface Cards used in
corporate laptop or desktop computers must be available. Access points/Wireless
NIC should not be installed /enabled on a bank’s network without the approval of
information security function.
Banks should ensure that each wireless device connected to the network matches
an authorized configuration and security profile, with a documented owner of the
connection and a defined business need. Organizations should deny access to
those wireless devices that do not have such a configuration and profile.

Banks should ensure that all wireless access points are manageable using
enterprise management tools.
Network vulnerability scanning tools should be configured to detect wireless
access points connected to the wired network. Identified devices should be
reconciled against a list of authorized wireless access points. Unauthorized (i.e.,
rogue) access points should be deactivated.

Banks should use wireless intrusion detection systems (WIDS) to identify rogue
wireless devices and detect attack attempts and successful compromise. In
addition to WIDS, all wireless traffic should be monitored by a wired IDS as traffic
passes into the wired network.

Where a specific business need for wireless access has been identified, banks
should configure wireless access on client machines to allow access only to
authorized wireless networks.

For devices that do not have an essential wireless business purpose,

organizations should consider disable wireless access in the hardware
configuration (BIOS or EFI), with password protections to lower the possibility that
the user will override such configurations.
Banks should regularly scan for unauthorized or misconfigured wireless
infrastructure devices, using techniques such as “war driving” to identify access
points and clients accepting peer-topeer connections. Such unauthorized or
misconfigured devices should be removed from the network, or have their
configurations altered so that they comply with the security requirements of the
organization.

Banks should ensure all wireless traffic leverages at least AES encryption used
with at least WPA2 protection. Banks should ensure wireless networks use
authentication protocols such as EAP/TLS or PEAP, which provide credential
protection and mutual authentication. Banks should ensure wireless clients use
strong, multi-factor authentication credentials to mitigate the risk of unauthorized
access from compromised credentials.
Banks should disable peer-to-peer wireless network capabilities on wireless
clients, unless such functionality meets a documented business need.
Banks should disable wireless peripheral access of devices (such as Bluetooth),
unless such access is required for a documented business need.

Banks may consider configuring all wireless clients used to access other critical
networks or handle organization data in a manner so that they cannot be used to
connect to public wireless networks or any other networks beyond those
specifically allowed by the bank.

Some requirements relating to VPN that may be considered :

Access should be provided only if there’s a genuine business case

All computers with wireless LAN devices must utilize a Virtual Private
Network (VPN) that configured to drop all unauthenticated and unencrypted
traffic
Wireless implementations must maintain point-to-point hardware encryption
of at least 128 bits
Supporting a hardware address, like MAC address, that can be registered
and tracked and supporting strong user authentication which checks against
an external database such as TACACS+, RADIUS etc

Implementation of mutual authentication of user and authentication server

and survey needs to be done before location of access points to ensure that
signals are confined within the premise as much as possible

Communication between the workstations and access points should be

encrypted using dynamic session keys
 Business Continuity Considerations:

Events that trigger the implementation of a business continuity plan may have
significant security implications. Depending on the event, some or all of the elements of
the security environment may change. Different tradeoffs may exist between
availability, integrity, confidentiality, and accountability, with a different appetite for risk
on the part of management. Business continuity plans should be reviewed as an
integral part of the security process.

Risk assessments should consider the changing risks that appear in business
continuity scenarios and the different security posture that may be established.
Strategies should consider the different risk environment and the degree of risk
mitigation necessary to protect the institution in the event the continuity plans must be
implemented. The implementation should consider the training of appropriate personnel
in their security roles, and the implementation and updating of technologies and plans
for back-up sites and communications networks. These security considerations should
be integrated with the testing of business continuity plan implementations. More
information on “Business Continuity Planning” is provided in a separate chapter.
Information security assurance

Penetration Testing:

Penetration testing is defined as a formalized set of procedures designed to bypass the

security controls of a system or organization for the purpose of testing that system’s or
organization’s resistance to such an attack.

Penetration testing is performed to uncover the security weaknesses of a system and

to determine the ways in which the system can be compromised by a potential attacker.
Penetration testing can take several forms but, in general, a test consists of a series of
“attacks” against a target. The success or failure of the attacks, and how the target
reacts to each attack, will determine the outcome of the test.

The overall purpose of a penetration test is to determine the subject’s ability to

withstand an attack by a hostile intruder. As such, the tester will be using the tricks and
techniques a real-life attacker might use. This simulated attack strategy allows the
subject to discover and mitigate its security weak spots before a real attacker discovers
them. Because a penetration test seldom is a comprehensive test of the system’s
security, it should be combined with other monitoring to validate the effectiveness of the
security process.
Penetration testing needs to be conducted at least on an annual basis.

Audits

Auditing compares current practices against a set of policies/standards/guidelines

formulated by the institution, regulator including any legal requirements. Bank
management is responsible for demonstrating that the standards it adopts are
appropriate for the institution. Audits should not only look into technical aspects but also
the information security governance process.

Assessment

An assessment is a study to locate security vulnerabilities and identify corrective

actions. An assessment differs from an audit by not having a set of standards to test
against. It differs from a penetration test by providing the tester with full access to the
systems being tested. Assessments may be focused on the security process or the
information system. They may also focus on different aspects of the information
system, such as one or more hosts or networks. Vulnerability assessment was
explained earlier in the chapter.

The assurance work needs to be performed by appropriately trained and independent

information security experts/auditors. The strengths and weaknesses of critical internet-
based applications, other critical systems and networks needs to be carried out before
each initial implementation, and at least annually thereafter. Any findings needs to be
reported and monitored using a systematic audit remediation or compliance tracking
methodology.

A bank needs to regularly assess information security vulnerabilities and evaluate the
effectiveness of the existing IT security risk management framework, making any
necessary adjustments to ensure emerging vulnerabilities are addressed in a timely
manner. This assessment should also be conducted as part of any material change.
Robust performance evaluation processes are needed to provide organizations with
feedback on the effectiveness of cyber security policy and technical implementation. A
sign of a mature organization is one that is able to self-identify issues, conduct root
cause analyses, and implement effective corrective actions that address individual and
systemic problems. Self-assessment processes that are normally part of an effective
cyber security program include routine scanning for vulnerabilities, automated auditing
of the network, and - assessments of organizational and individual business line
security related performance.
A bank should manage the information security risk management framework on an
ongoing basis as a security programme following project management approach,
addressing the control gaps in a

systematic way.

General information regarding delivery channels

Provision of various electronic banking channels like ATM/debit cards/internet

banking/phone banking should be issued only at the option of the customers
based on specific written or authenticated electronic requisition along with a
positive acknowledgement of the terms and conditions from the customer. A
customer should not be forced to opt for services in this regard. Banks should
provide clear information to their customers about the risks and benefits of
using e-banking delivery services to enable customers to decide on choosing
such services.

When new operating features or functions, particularly those relating to

security, integrity and authentication, are being introduced, the bank should
ensure that customers have sufficient instruction and information to be able to
properly utilize them.

To raise security awareness, banks should sensitize customers on the need to

protect their PINs, security tokens, personal details and other confidential data.

Banks are responsible for the safety and soundness of the services and
systems they provide to their customers. Reciprocally, it is also important that
customers take appropriate security measures to protect their devices and
computer systems and ensure that their integrity is not compromised when
engaging in online banking. Customers should implement the measures
advised by their banks regarding protecting their devices or computers which
they use for accessing banking services.

In view of the constant changes occurring in the internet environment and

online delivery channels, management should institute a risk monitoring and
compliance regime on an ongoing basis to ascertain the performance and
effectiveness of the risk management process. When risk parameters change,
 the risk process needs to be updated and enhanced accordingly. Re-
evaluation of past risk-control measures and equations, renewed testing and
auditing of the adequacy and effectiveness of the risk management process
and the attendant controls and security measures taken should be conducted.

Internet banking:

Banks need to ensure suitable security measures for their web applications and take
reasonable mitigating measures against various web security risks indicated earlier in
the chapter.

ii.Web applications should not store sensitive information in HTML hidden fields,
cookies, or any other client-side storage leading to compromise in the integrity of the
data. Critical web applications should enforce at least SSL v3 or Extended Validation –
SSL / TLS 1.0 128 bit encryption level for all online activity.

iii.Re-establishment of anysessionafter interruption should require normal user

identification, authentication, and authorization. Moreover, strong server side validation

should be enabled.

Banks need to follow a defense in depth strategy by applying robust security

measures across various technology layers

Authentication practices for internet banking:

Authentication methodologies involve three basic “factors”:

Something the user knows (e.g., password, PIN);

Something the user has (e.g., ATM card, smart card); and
Something the user is (e.g., biometric characteristic, such as a
fingerprint).
Properly designed and implemented multifactor authentication methods are more
reliable and stronger fraud deterrents and are more difficult to compromise. The
principal objectives of two-factor authentication are to protect the confidentiality of
customer account data and transaction details as well as enhance confidence in
internet banking by combating various cyber attack mechanisms like phishing,
keylogging, spyware/malware and other internet-based frauds targeted at banks and
their customers.

Implementation of two-factor authentication and other security

measures for internet banking:

In view of the proliferation of cyber attacks and their potential consequences,

banks should implement two-factor authentication for fund transfers through
internet banking.

The implementation of appropriate authentication methodologies should be

based on an assessment of the risk posed by the institution’s Internet banking
systems. The risk should be evaluated in light of the type of customer (e.g., retail
or corporate/commercial); the customer transactional capabilities (e.g., bill
payment, fund transfer), the sensitivity of customer information being
communicated to both the bank and the volume of transactions involved.
Beyond the technology factor, the success of a particular authentication method
depends on appropriate policies, procedures, and controls. An effective
authentication method should take into consideration customer acceptance,
ease of use, reliable performance, scalability to accommodate growth, and
interoperability with other systems.

There is a legal risk in not using the asymmetric cryptosystem and hash function
for authenticating electronic transactions. However, it is observed that some
banks still use weak user id/password based authentication for fund transfers
using internet banking. For carrying out critical transactions like fund transfers,
the banks, at the least, need to implement robust and dynamic two-factor
authentication through user id/password combination and second factor like (a)
a digital signature (through a token containing digital certificate and associated
private key) (preferably for the corporate customers) or (b) OTP/dynamic access
code through various modes (like SMS over mobile phones or hardware token).
To enhance online processing security, confirmatory second channel
procedures(like telephony, SMS, email etc) should be applied in respect of
transactions above pre-set values, creation of new account linkages, registration
of third party payee details, changing account details or revision to funds transfer
limits. In devising these security features, the bank should take into account their
efficacy and differing customer preferences for additional online protection.
Based on mutual authentication protocols, customers could also authenticate the
bank’s web site through security mechanisms such as personal assurance
messages/images, exchange of challenge response security codes and/or the
secure sockets layer (SSL) server certificate verification. In recent times,
Extended Validation Secure Sockets Layer (EV-SSL) Certificates are
increasingly being used. These are special SSL Certificates that work with high
security Web browsers to
clearly identify a Web site's organizational identity. It should, however, be noted
that SSL is only designed to encrypt data in transit at the network transport layer.
It does not provide endto-end encryption security at the application layer.

An authenticated session, together with its encryption protocol, should remain

intact throughout the interaction with the customer. Else, in the event of
interference, the session should be terminated and the affected transactions
resolved or reversed out. The customer should be promptly notified of such an
incident as the session is being concluded or subsequently by email, telephone
or through other means.

Changes in mobile phone number may be done through request from a branch
only
Implementation of virtual keyboard
A cooling period for beneficiary addition and SMS and E-mail alerts when new
beneficiaries are added
Customers should be advised to adopt various good security precautions and
practices in protecting their personal computer and to avoid conducting financial
transactions from public or internet café computers.

Risk based transaction monitoring or surveillance process needs to be

considered as an adjunct.
An online session would need to be automatically terminated after a fixed period
of time unless the customer is re-authenticated for the existing session to be
maintained. This prevents an attacker from keeping an internet banking session
alive indefinitely.

By definition true multifactor authentication requires the use of solutions from

two or more of the three categories of factors. Using multiple solutions from the
same category at different points in the process may be part of a layered
security or other compensating control approach, but it would not constitute a
true multifactor authentication.
As an integral part of the two factor authentication architecture, banks should
also implement appropriate measures to minimise exposure to a middleman
attack which is more commonly known as a man-in-the-middle attack (MITM),
man-in-the browser(MITB) attack or man-in-the application attack. The banks
should also consider, and if deemed appropriate, implement the following control
and security measures to minimise exposure to man-in-the middle attacks:

Specific OTPs for adding new payees: Each new payee should be
authorized by the customer based on an OTP from a second channel which
also shows payee details or the customer’s handwritten signature from a
manual procedure which is verified by the bank.
 Individual OTPs for value transactions (payments and fund
transfers) :Each value transaction or an approved list of value transactions
above a certain rupee threshold determined by the customer should require
a new OTP.

OTP time window: Challenge-based and time-based OTPs provide

strong security because their period of validity is controlled entirely by the bank
and does not depend user behaviour. It is recommended that the banks should
not allow the OTP time window to exceed 100 seconds on either side of the
server time since the smaller the time window, the lower the risk of OTP misuse.

Payment and fund transfer security: Digital signatures and key-based

message authentication codes (KMAC) for payment or fund transfer transactions
could be considered for the detection of unauthorized modification or injection of
transaction data in a middleman attack. For this security solution to work
effectively, a customer using a hardware token would need to be able to
distinguish the process of generating a one-time password from the process of
digitally signing a transaction. What he signs digitally must also be meaningful to
him, which means the token should at least explicitly show the payee account
number and the payment amount from which a hash value may be derived for
the purpose of creating a digital signature. Different crypto keys should be used
for generating OTPs and for signing transactions.
 Secondchannelnotification / confirmation: The bankshould
notify the
customer, through a second channel, of all payment or fund transfer
transactions above a specified value determined by the customer.

Session time-out: An online session would be automatically terminated after a

fixed period of time unless the customer is re-authenticated for the existing
session to be maintained. This prevents an attacker from keeping an internet
banking session alive indefinitely.
SSL server certificate warning: Internet banking customers should be made aware of
and shown how to react to SSL or EV-SSL certificate warning

EMERGING TECHNOLOGIES AND INFORMATION SECURITY:

Discussed below are some emerging technologies which are increasingly being
adopted/likely to be considered in the near future. However, the security concerns in
respect of such technologies need to be considered.

Virtualization

Background:

Over the last 10 years, the trend in the data center has been towards decentralization,
also known as horizontal scaling. Centralized servers were seen as too expensive to
purchase and maintain. Due to this expense, applications were moved from a large
shared server to their own physical machine. Decentralization helped with the ongoing
maintenance of each application, since patches and upgrades could be applied without
interfering with other running systems. For the same reason, decentralization improves
security since a compromised system is isolated from other systems on the network.

However, decentralization’s application sandboxes come at the expense of more power

consumption, more physical space requirement, and a greater management effort
which increased annual maintenance costs per machine. In addition to this
maintenance overhead, decentralization decreases the efficiency of each machine,
leaving the average server idle 85% of the time. Together, these inefficiencies often
eliminate any savings promised by decentralization.
Virtualization is a modified solution between centralized and decentralized
deployments. Instead of purchasing and maintaining an entire computer for one
application, each application can be given its own operating system, and all those
operating systems can reside on a single piece of hardware. This provides the benefits
of decentralization, like security and stability, while making the most of a machine’s
resources.

Challenges of Virtualization

Compatibility and support – Often software developers are not ready to

guarantee fail-safe operation of all their programs in virtual machines.
Licensing – There is a need for thorough examination of licenses of OS,
as well as other software as far as virtualization is concerned. OS
manufacturers introduce some limitations on using their products in virtual
machines (especially OEM versions). Such scenarios are often described
in separate license chapters. There may also be some problems with
licensing software based on number of processors, as a virtual machine
may emulate different number of processors than in a host system.
Staff training - This problem is currently one of the most burning ones, as
are difficulty in finding exclusive virtualization experts, who can deploy
and maintain a virtual infrastructure. "Heavy" virtualization platforms may
require serious training of staff who will maintain them.

Reliability - As several virtual servers work on a single physical server,

failures of hardware components may affect all the virtual servers running
on it. Planning and implementing disaster recovery strategies to ensure
reliability of a virtual infrastructure will be a better solution.

Addressing security issues in virtualization:

There is a misconception that if we virtualize, let's say, a Windows 2003 Server, that
virtualized system should be secure because it is completely separate from the VM
Server operating system and it could be potentially "protected" by VM Server. This is
not true and there are a lot of aspects one needs to know about virtualization security.

The ultimate attack on a virtual host system would be for a guest system to run
malicious code allowing it to gain elevated privilege and gain access to the underneath
VM Server. If the malicious code could create a new "phantom" virtual machine that
could be controlled by the attacker, they would have full access to the virtual host and
all virtual guests. With this form of "hyperjacking", the attacker would be invisible to
traditional virtualization management software and security tools. From there, the
attacker would perform a DoS (denial of service) attack by overloading the virtual guest
systems.

The below covers full virtualization environments that are most commonly used in
servers. A few major indicative measures are provided below. Additionally, detailed
vendor recommended security measures may be followed.

a. Securing the virtualization platform - Privileged

partition operating system hardening – (i) Limit VM resource use:
set limits on the use of resources (e.g., processors, memory, disk
space, virtual network interfaces) by each VM so that no one VM
can monopolize resources on a system. (ii) Ensure time
synchronization: ensure that host and guests use synchronized
time for investigative and forensic purposes.

b. Unnecessary programmes and services: all

unnecessary programs should be uninstalled, and all
unnecessary services should be disabled.

c. Host OS must be patched regularly and in a timely fashion

to ensure that the host OS is protecting the system itself and
guest OSs properly. In addition, the same patching requirements
apply to the virtualization software.

d. Partitioning and resource allocation space

restrictions: volumes or disk partitioning should be used to
prevent inadvertent denials of service from virtual machines
(guest operating systems, OSs) filling up available space
allocations, and allow role-based access controls to be placed
individually on each virtual machine (guest OS).

e. Disconnect unused physical devices: individual

VMs can be configured to directly or indirectly control peripheral
devices attached to the host system. VMs should be configured
by default to disable such connections. Connections to
peripheral devices should be enabled only when necessary.
f. Virtual devices: ensure that virtual devices for guest
OSs are associated with the appropriate physical devices on the
host system, such as the mapping between virtual network
interface cards (NICs) to the proper physical NICs.

g. File sharing should not be allowed between

host and guest OSs: while it might be convenient to enable
the sharing of system files between the host and guest OSs,
allowing such introduces an unacceptable risk of a guest OS
possibly maliciously changing a host OS file.

h. Just as with physical servers, virtual systems need to be

regularly backed-up for error recovery.

i. Carrying out logging and auditing is critical along with

correlating server and network logs across virtual and physical
infrastructures to reveal security vulnerabilities and risk

J. Network access for the host OS should be restricted to

management services only, and, if necessary, network access to
storage (iSCSI).

K. A firewall should ideally be placed on the host OS to protect

the system, or a firewall should at least be local to a small
number of systems for protection purposes, with access allowed
only for management purposes. Additionally, the firewall should
restrict access to only those systems authorized to manage the
virtual infrastructure

l. Guest operating system hardening - Minimize

number of accounts- guests should have accounts necessary for
running each VM only with passwords that are strong, hard to
guess, changed frequently, and only provided to staff that must
have access. Separate credentials should be used for access to
each guest OS; credentials should not shared across guest OSs,
and should not be the same as used for access to the host OS

m. The guest OS should be protected by a firewall running on

the host OS, or at least running locally (i.e., local to a small
number of systems for protection purposes). Firewall needs to
discriminate against inappropriate and/or malicious traffic using
networking communications effective for the environment (e.g., if
bridging is used instead of routing).
 n. Consider using introspection capabilities to monitor the
security of activity occurring between guest OSs. This is
particularly important for communications that in a non-
virtualized environment were carried over networks and
monitored by network security controls (such as network
firewalls, security appliances, and network IDS/IPS sensors).

Cloud Computing

Background: Computing environment owned by a company is shared with client

companies through web-based service over Internet which hosts all the programs to
run everything from e-mail to word processing to complex data analysis programs. This
is called cloud computing.

The term cloud computing probably comes from the use of a cloud image to represent
the Internet or some large networked environment. We don’t care much what’s in the
cloud or what goes on there except that we get the services we require. Service may
include software, platform or infrastructure.

At the backend, cloud computing can make use of virtualization and grid computing. In
grid computing, networked computers are able to access and use the resources of
every other computer on the network.
Cloud Computing Concerns

Perhaps the biggest concerns about cloud computing are security and privacy. The
idea of handing over important data to another company worries some people.
Corporate executives might hesitate to take advantage of a cloud computing system
because they can't keep their company's information under lock and key.

Privacy is another matter. If a client can log in from any location to access data and
applications, it's possible the client's privacy could be compromised. Cloud computing
companies will need to find ways to protect client privacy by implementing reliable
authentication techniques.

A cloud computing system must ensure backup of all its clients' information.
Some questions regarding cloud computing are more legal. Does the user or company
subscribing to the cloud computing service own the data? Does the cloud computing
system, which provides the actual storage space, own it? Is it possible for a cloud
computing company to deny a client access to that client's data? Several companies,
law firms and universities are debating these and other questions about the nature of
cloud computing. Thus, there are issues relating to data security and privacy,
compliance and legal/contractual issues.

A few examples of cloud computing risks that need to be managed include:

Enterprises need to be particular in choosing a provider. Reputation, history and

sustainability should all be factors to consider. Sustainability is of particular
importance to ensure that services will be available and data can be tracked.

The cloud provider often takes responsibility for information handling, which is a
critical part of the business. Failure to perform to agreed-upon service levels can
impact not only confidentiality but also availability, severely affecting business
operations.

The dynamic nature of cloud computing may result in confusion as to where

information actually resides. When information retrieval is required, this may
create delays.
The geographical location of data storage and processing is not definite unlike
traditional data centre. Trans-border data flows, business continuity
requirements, log retention, data retention, audit trails are among the issues that
contribute to compliance challenges in Cloud Computing environment.

Third-party access to sensitive information creates a risk of compromise to

confidential information. In cloud computing, this can pose a significant threat to
ensuring the protection of intellectual property (IP), trade secrets and
confidential customer information.

The contractual issues in the cloud services can relate to ownership of

intellectual property, unilateral contract termination, vendor lock-in, fixing liability
and obligations of Cloud service providers, exit clause,etc.
Public clouds allow high-availability systems to be developed at service levels
often impossible to create in private networks, except at extraordinary costs. The
downside to this availability is the potential for commingling of information assets
with other cloud customers, including competitors. Compliance to regulations
and laws in different geographic regions can be a challenge for enterprises. At
this time there is little legal precedent regarding liability in the cloud. It is critical
to obtain proper legal advice to ensure that the contract specifies the areas
 where the cloud provider is responsible and liable for ramifications arising from
potential issues.
Due to the dynamic nature of the cloud, information may not immediately be
located in the event of a disaster. Business continuity and disaster recovery
plans must be well documented and tested. The cloud provider must understand
the role it plays in terms of backups, incident response and recovery. Recovery
time objectives should be stated in the contract.

Service providers must demonstrate the existence of effective and robust security
controls, assuring customers that their information is properly secured against
unauthorized access, change and destruction. Key questions to decide are: What
employees (of the provider) have access to customer information? Is segregation of
duties between provider employees maintained? How are different customers’
information segregated? What controls are in place to prevent, detect and react to
breaches

IS AUDIT

Introduction:

In the past decade, with the increased technology adoption by Banks, the complexities
within the IT environment have given rise to considerable technology related risks
requiring effective management.

This led the Banks to implement an Internal Control framework, based on various
standards and its own control requirements and the current RBI guidelines. As a result,
Bank’s management and RBI, need an assurance on the effectiveness of internal
controls implemented and expect the IS Audit to provide an independent and objective
view of the extent to which the risks are managed.

As a consequence, the nature of the Internal Audit department has undergone a major
transformation and IS audits are gaining importance as key processes are automated,
or enabled by technology. Hence, there is a need for banks to re-assess the IS Audit
processes and ensure that IS Audit objectives are effectively met.

The scope of IS Audit includes:

 Determining effectiveness of planning and oversight of IT activities

Evaluating adequacy of operating processes and internal controls

Determining adequacy of enterprise-wide compliance efforts, related to IT policies

and internal control procedures
Identifying areas with deficient internal controls, recommend corrective action to
address deficiencies and follow-up, to ensure that the management effectively
implements the required actions

Following areas have been covered under this chapter:

IS Audit: The organisation's structure, roles and responsibilities. The

chapteridentifies the IS Audit stakeholders, defines their roles, responsibilities
and competencies required to adequately support the IS Audit function

Audit Charter or Policy (to be included in the IS Audit): This point

addresses the needto include IS Audit as a part of the Audit Charter or Policy
Planning an IS Audit: This point addresses planning for an IS Audit, using
Risk BasedAudit Approach. It begins with an understanding of IT risk
assessment concepts, methodology and defines the IS Audit Universe, scoping
and planning an audit execution

Executing an IS Audit: This describes steps for executing the audit,

covering activitiessuch as understanding the business process and IT
environment, refining the scope and identifying internal controls, testing for
control design and control objectives, appropriate audit evidence, documentation
of work papers and conclusions of tests performed

Reporting and Follow-up: Describes the audit summary and

memorandum, therequirements for discussing findings with the management,
finalising and submitting reports, carrying out follow-up procedures, archiving
documents and ensuring continuous auditing

Quality Review: This addresses the quality aspects which ensures

supervision andexercising due care.

Role and Responsibilities / Organisational structure

Board of Directors and Senior Management

Board of Directors and senior management are responsible for ensuring that an
institution’s system of internal controls operates effectively. One important element of
an effective

internal control system is an internal audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient
resources to ensure adequate IT coverage, the Board, or its Audit Committee, should
enable an internal audit function, capable of evaluating IT controls adequately.

Audit Committee of the Board

An institution’s board of directors establishes an “Audit Committee” to oversee audit

functions and to report on audit matters periodically to the Board of Directors. Banks
should enable adequately skilled Audit Committee composition to manage the
complexity of the IS Audit oversight.

A designated member of an Audit Committee needs to possess the knowledge of

Information Systems, related controls and audit issues. Designated member should
also have competencies to understand the ultimate impact of deficiencies identified in
IT internal control framework by the IS Audit. The committee should devote appropriate
time to IS audit findings identified during IS Audits and members of the Audit
Committee need to review critical issues highlighted and provide appropriate guidance
to a bank’s management.

As a part of its overall responsibilities, the committee should also be

ultimately responsible for the following IS Audit areas:

Bank's compliance with legal and regulatory requirements such as (among others)
Information Technology Act-2000, Information Technology (Amendment) Act-
2008, Banker's Books
(Evidence) Act-1891, The Banking Regulation Act-1949, Reserve Bank of India
Act-1934 and RBI circulars and guidelines

Appointment of the IS Audit Head

Performance of IS Audit

Evaluation of significant IS Audit issues

(A Board or its Audit Committee members should seek training to fill any gaps in the
knowledge, related to IT risks and controls.)

Internal Audit/Information System Audit function

Internal Audit is a part of the Board’s assurance process with regard to the integrity
andeffectiveness of systems and controls. It is an independent group that reports
directly to the Audit Committee or the Board of Directors. IS Audit, being an integral part
of Internal Audit, requires an organisation structure with well-defined roles which needs
to function in alignment with the Internal Audit, and provide technical audit support on
key focus areas of audit or its universe, identified by an Internal Audit department. A
well-defined IS Audit organisation structure ensures that the tasks performed fulfill a
bank’s overall audit objective, while preserving its independence, objectivity and
competence.

In this regard, banks require a separate IS Audit function within an Internal Audit
department led by an IS Audit Head reporting to the Head of Internal Audit or Chief
Audit Executive (CAE). The personnel needs to assume overall responsibility and
accountability of IS Audit functions. Where the bank leverages external resources for
conducting IS Audit on areas where skills are lacking, the responsibility and
accountability for such external IS Audits still remain with the IS Audit Head and CAE.

Critical Components and Processes

Because the IS Audit is an integral part of the Internal Auditors, auditors will also be
required to be independent, competent and exercise due professional care.

Independence: IS Auditors should act independently of the bank's management. In

matters

related to the audit, the IS Audit should be independent of the auditee, both in attitude
and appearance. The Audit Charter or Policy, or engagement letter (in case of external
professional service provider), should address independence and accountability of the
audit function. In case independence is impaired (in fact or appearance), details of the
impairment should be disclosed to the Audit Committee or Board. Independence should
be regularly assessed by the Audit Committee. In case of rotation of audit staff
members from IT department to the IS Audit, care should be taken to ensure that the
past role of such individuals do not impact their independence and objectivity as an IS
Auditor.

Additionally, to ensure independence for the IS Auditors, Banks

should make sure that:

Auditors have access to information and applications

Auditors have the right to conduct independent data inspection and analysis

Competence: IS Auditors should be professionally competent, having skills, knowledge,

training and relevant experience. They should be appropriately qualified, have
professional certifications and maintain professional competence through professional
education and training. As IT encompasses a wide range of technologies, IS Auditors
should possess skills that are commensurate with the technology used by a bank. They
should be competent audit professionals with sufficient and relevant experience.
Qualifications such as CISA (offered by ISACA), DISA (offered by ICAI), or CISSP
(offered by ISC2), along with two or more years of IS Audit experience, are desirable.
Similar qualification criteria shouldalso be insisted upon, in case
of outsourced professional service providers.

Due Professional Care: IS Auditors should exercise due professional care, which
includes following the professional auditing standards in conducting the audit. The IS
Audit Head should deal with any concerns in applying them during the audit. IS
Auditors should maintain the highest degree of integrity and conduct. They should not
adopt methods that could be seen as unlawful, unethical or unprofessional to obtain or
execute an audit.

Outsourcing relating to IS Audit

Banks may decide to outsource execution of segments of audit plan to external

professional service providers, as per the overall audit strategy decided in co-ordination
with the CAE and the Audit Committee. This may be due to inadequate staff available
internally within the bank to conduct audits, or insufficient levels of skilled staff. The
work outsourced shall be restricted to execution of audits identified in the plan. Banks
need to ensure that the overall ownership and responsibility of the IS Audit, including
the audit planning process, risk assessment and follow-up of compliance remains
within the bank. External assistance may be obtained initially to put in place necessary
processes in this regard.
Both the CAE and Audit Committee should ensure that the external professional
service providers appointed should be competent in the area of work that is outsourced
and should have relevant prior experience in that area.

Audit Charter, Audit Policy to include IS Audit

Audit Charter or Policy is a document, which guides and directs activities of an internal
audit function. IS Audit, being integral part of an Internal Audit department, should also
be governed by the same charter or policy. The charter should be documented to
contain a clear description of its mandate, purpose, responsibility, authority and
accountability of relevant members or officials in respect of the IS Audit (namely the IS
Auditors, management and Audit Committee) apart from the operating principles. The
IS Auditor will have to determine how to achieve the implementation of the applicable
IS Audit standards, use professional judgment in their application, and be prepared to
justify any departure therefrom.

Contents of the Audit Policy

The Policy should clearly address the aspects of responsibility, authority and
accountability

of the IS auditor. Aspects to be considered:

Responsibility:

Some of the aspects include:

Mission Statement
Scope or Coverage
Audit Methodology
Objectives
Independence
Relationship with External Audit
Auditee’s Requirements
Critical Success Factors
Key Performance Indicators
Other Measures of Performance
Providing Assurance on Control Environment
Reviewing Controls on Confidentiality, Integrity and Availability of Data or Systems
Authority:

Includes the following:

Risk Assessment
Mandate to perform an IS Audit
Allocation of resources
Right to access the relevant information, personnel, locations and systems
Scope or limitations of scope
Functions to be audited
Auditee’s expectations
Organizational structure
Gradation of IS Audit Officials or Staff

Accountability: Some of the aspects in this regard include the following:

Reporting Lines to Senior Management, Board of Directors or Designated Authority

Assignment Performance Appraisals
Personnel Performance Appraisals
Staffing or Career Development
Training and Development of Skills including maintenance of professional
certification/s, continuing professional education

Auditees’ Rights
Independent Quality Reviews
Assessment of Compliance with Standards
Benchmarking Performance and Functions
Assessment of Completion of the Audit Plan
Agreed Actions (e.g. penalties when either party fails to carry out responsibilities)
Co-ordinate with and provide Oversight over other control functions like risk
management, security and compliance
The policy should also cover Audit Rating Methodology and Quality Assurance
Reviews. There should also be annual review of IS Audit Policy or Charter to ensure
continued relevance.

Communication with the Auditees

Effective communication with the auditees involves considering the

following:
 Describing a service, its scope, availability and timeliness of delivery

Providing cost estimates or budgets, if needed

Describing problems and possible resolutions

Providing adequate and accessible facilities for effective communication

Determining relationship between the service offered, and the needs of the auditee

The Audit Charter forms a basis for communication with an auditee. It should include
relevant references to service-level agreements for aspects like the following, as
applicable:
Availability for Unplanned Work

Delivery of reports

Costs

Response to Auditee’s Complaints

Quality of Service

Review of Performance

Communication with the Auditee

Needs Assessment

Control Risk Self-assessment

Agreement of Terms of Reference for Audit

Reporting Process

Agreement of Findings

Quality Assurance Process

The IS Auditor should consider establishing a quality assurance process (e.g.,

interviews, customer satisfaction surveys, or assignment performance surveys) to
understand his expectations relevant to the function. These needs should be evaluated
against the Charter, to improve the service or change the service delivery or Audit
Charter, if necessary.
 Engagement Letter

Engagement letters are often used for individual assignments. They set out the scope
and objectives of a relationship between an external IS audit agency and an
organisation. The letter should address the three aspects of responsibility, authority and
accountability.

Following aspects needs to be considered:

Responsibility: The aspects addressed includes scope, objectives, independence, risk

assessment, specific auditee requirements and deliverables

Authority: The aspects to be addressed include right of access to information,

personnel, locations and systems relevant to the performance of the assignment, scope
or any limitations of scope and documentary evidence or information of agreement to
the terms and conditions of the engagement

Accountability: Areas addressed include designated or intended recipients of reports,

auditees’ rights, quality reviews, agreed completion dates and agreed budgets or fees if
available

Planning an IS Audit

(a) Introduction

An effective IS Audit programme addresses IT risk exposures throughout a bank,

including areas of IT management and strategic planning, data centre operations, client
or server architecture, local and wide-area networks, telecommunications, physical and
information security, electronic banking, applications used in banking operations,
systems development, and business continuity planning.

A well-planned, properly structured audit programme is essential to evaluate risk

management practices, internal control systems and compliance with policies
concerning IT-related risks of every size and complexity. Effective programmes are risk
-focused, promote sound IT controls, ensure timely resolution of audit deficiencies, and
inform the Audit Committee of the effectiveness of Risk Management practices and
internal control systems.
In the past, the Internal Audit concentrated on transaction testing, testing of accuracy
and reliability of accounting records and financial reports, integrity, reliability and
timeliness of control reports, and adherence to legal and regulatory requirements.

However, in the changing scenario, there is an increased need for widening, as well as
redirecting, the scope of Internal Audit to evaluate the adequacy of IT Risk
Management procedures and internal control systems. To achieve these, banks are
moving towards risk-based internal audit, which include, in addition to selective
transaction testing, an evaluation of the Risk Management systems and control
procedures prevailing in a bank’s operations.

Risk-based Internal Audit (RBIA) approach helps in planning the IS Audit.

It includes the following components:

Understanding IT Risk Assessment Concepts

Adopting a suitable IT Risk Assessment Methodology–used to examine auditable

units in the IS audit universe and select areas for review to include in the IS
Annual Plan that have the greatest risk exposure

Steps involved are:

Step 1: System Characterisation

Step 2: Threat Identification

Step 3: Vulnerability Identification

Step 4: Control Analysis

Step 5: Likelihood Determination

Step 6: Impact Analysis

Step 7: Risk Determination

As a part of RBIA, planning the IS Audit involves the following:

Defining the IS Audit Universe: This covers the IS Audit Universe, which defines the
areas to be covered
 Scoping for IS Audit: This addresses the scoping requirements and includes:
Defining control objectives and activities
Considering materiality

Building a fraud risk perspective

Planning Execution of an Audit: This describes the steps of a planning process
before IS Audit starts execution of the plan

Documenting an audit plan

Nature and extent of test of control
Sampling techniques
Standards and frameworks
Resource management

The above components are clarified in the sub-sections below:

(b) Risk Based IS Audit

This internal audit approach is aimed at developing a risk-based audit plan keeping in
mind th inherent risks of a business or location and effectiveness of control systems
managing inherent risks. In this approach, every bank business or location, including
risk management function, undergoes a risk assessment by the internal audit function.

RBI issued the “Guidance Note on Risk-based Internal Audit” in 2002 to all scheduled
commercial banks, introducing the system of “risk-based internal audit”.

The guidance note at a broad-level provided the following aspects:

Development of a well-defined policy for risk-based internal audit

Adoption of a risk assessment methodology for formulating risk based audit plan

Development of risk profile and drawing up of risk matrix taking inherent business
risk and effectiveness of the control system for monitoring the risk
Preparation of annual audit plan, covering risks and prioritization, based on level
and direction of each risk
Setting up of communication channels between audit staff and management, for
reporting issues that pose a threat to a bank’s business
 Periodic evaluation of the risk assessment methodology

Identification of appropriate personnel to undertake risk-based audit, and imparting

them with relevant training
Addressing transitional and change management issues

The overall plan, arrived at, using the risk assessment approach enables the Internal
Audit to identify and examine key business areas that have highest exposure and
enables effective allocation of Audit resources. As stated earlier, IS Audit, being an
integral part of the Internal Audit, there is a need for IS Auditors to focus on the IT risks,
related to the high-risk business areas identified by the Internal Audit for review during
a year. This enables the IS Audit to provide an assurance to the management on the
effectiveness of risk management and internal controls underlying the high-risk
business processes, which when read in conjunction with the Internal Audit reports,
provides a holistic view of the effectiveness.

Risk-based IS Audit needs to consider the following:

Identification of an institution’s data, application, technology,

facilities, and personnel
Identification of business activities and processes within each of
those categories
Profiles of significant business units, departments and product
lines and systems, and their associated business risks and control
features, resulting in a document describing the structure of risk
and controls throughout the institution
Use a measurement or scoring system that ranks and evaluates
business and control risks for business units, departments and
products
Includes Board or Audit Committee approval of risk assessments
and annual Risk-based Audit Plans that establish audit schedules,
cycles, work programme scope and resource allocation for each
area audited

Implementation of the Audit Plan

Further, while identifying IT risks, an IS Auditor must consider the impact of non-
alignment with any information security-related guidelines issued by RBI based on
recommendations in Chapter 2 of this report. It should also be ensured that all systems,
domains and processes, irrespective of their risklevels, are covered within a period of
three years.
 (c) Adopting a Suitable Risk Assessment Methodology

The IS Auditor must define, adopt and follow a suitable risk assessment methodology.
This should be in consonance with the focus on risks, to be addressed as a part of the
overall Internal Audit Strategy.

A successful risk-based IS Audit Programme can be based on an effective scoring

system arrived at by considering all relevant risk factors.

Major risk factors used in scoring systems include: Adequacy of internal controls,
business criticality, regulatory requirements, amount or value of transactions
processed, if a key customer information is held, customer facing systems, financial
loss potential, number

of transactions processed, availability requirements, experience of management and

staff, turnover, technical competence, degree of delegation, technical and process
complexity, stability of application, age of system, training of users, number of
interfaces, availability of documentation, extent of dependence on the IT system,
confidentiality requirements, major changes carried out, previous audit observations
and senior management oversight.

On the basis of risk matrix of business criticality and system or residual risk,
applications or systems can be graded, based on where they fall on the “risk map” and
accordingly their audit frequency can be decided. Banks should develop written
guidelines on the use of risk assessment tools and risk factors and review these with
the Audit Committee or the Board. Risk assessment guidelines will vary for banks
depending on size, complexity, scope of activities, geographic diversity and technology
systems used. Auditors should use the guidelines to grade major risk areas and define
range of scores or assessments

(e.g., groupings such as low, medium, or high risk or a numerical sequence such as 1
to 5).

The written risk assessment guidelines should specify the following

elements:

Maximum length for audit cycles based on the risk assessment process: For
example, very high to high risk applications audit cycle can be at a frequency
ranging from six months upto 12, medium risk applications can be 18 months (or
 below) and up to 36 months for low-risk areas. Audit cycles should not be open-
ended.

Timing of risk assessments for each business area or department: While risk
assessment is expected to be on an annual basis, frequent assessments may
be needed if an institution experiences rapid growth or change in operation or
activities.

Documentation requirements to support risk assessment and scoring decisions

Guidelines for overriding risk assessments in special cases and the circumstances
under which they can be overridden: Example: due to major changes in system,
additional regulatory or legal requirements, a medium risk application may have
to be audited more frequently.

Notwithstanding the above, IT governance, information security governance -related

aspects, critical IT general controls such as data centre controls and processes and
critical business applications/systems having financial/compliance implications,
including regulatory reporting, risk management, customer access (delivery channels)
and MIS systems, needs to be subjected to IS Audit at least once a year (or more
frequently, if warranted by the risk assessment).

IS Auditors should periodically review results of internal control processes and analyse
financial or operational data for any impact on a risk assessment or scoring.
Accordingly, auditee units should be required to keep auditors up-to- date on major
changes, such as introduction of a new product, implementation of a new system,
application conversions, significant changes in organisation or staff, regulatory and
legal requirements, security incidents.

Defining the IS Audit Universe

An Audit Universe is an outcome of the risk assessment process. It defines the audit
areas to be covered by the IS Auditor. It is usually a high-level structure that identifies
processes, resources, risks and controls related to IT, allowing for a risk-based
selection of the audit areas. The IT risks faced by banks due to emerging technologies,
prioritisation of IS Audit Universe, selection of types of audits that need to be
performed, optimisation of available resources, and ensuring quality of findings, are
challenges faced by IS Audit.
The IS Audit Universe can be built around the four types of IT

resources and processes: Such as application systems, information or

data, infrastructure (technology and facilities

such as hardware, operating systems, database management systems, networking,

multimedia, and the environment that houses and supports them and enable
processing of applications) and people (internal or outsourced personnel required to
plan, organise, acquire, implement, deliver, support, monitor and evaluate the
information systems and services).

The challenge is to provide the “right level of granularity” in the definition of the
universe, so as to make it effective and efficient.

Though this is different for every bank, below are some of the
considerations for defining IS Audits:

Using overly-broad definitions for IS Audits (e.g. IT general controls) will ensure a
scope creep in audit procedures. The IS Audit Head should make sure that the
definition of each IS Audit is an accurate description of what is being reviewed.
Audit Universe for a year should touch upon all layers in the IT environment.
Though each IT environment is different, layers tend to be the same. If an IS
Audit plan does not include some review for each of the layers, odds are that the
plan, as a whole, is deficient.

IS Audits should be structured in such a way as to provide for effective and logical
reporting. For example: IS Audits of pervasive technologies (e.g. networks or
processes) are more effective when audited at an enterprise level.

IS Audits should address appropriate risks. In many cases, IS Audit budgets are
determined before the IT risk assessment is performed. This inevitably leads to
one of two situations:

An inadequate number of audit hours are spread over too many

audits, which results in consistently poor quality audits, because
there is not enough time.
Audits that should be performed are not performed because the
budget does not allow it.

Scoping for IS Audit

Information gathered by the IS Auditors during IT risk assessment about the IT system
processing and operational environment, threats, vulnerabilities, impact and controls,
enables identification of the control objectives and activities to be tested for design and
implementation effectiveness and its operating effectiveness.

Scoping plays a crucial role in overall effectiveness. This is exacerbated by the need
for the IS Auditors to integrate with the process, operational or financial auditors, and
the procedures they are performing, particularly in environments with large integrated
CBS applications, where a high number of key process controls are contained within
the systems. (An illustrative list of areas which can form a part of IS
Audit scope are given in Annex-B.)

IS Audits should also cover branches, with focus on large and medium branches, in
areas such as control of passwords, user ids, operating system security, anti-malware,
maker-checker, segregation of duties, physical security, review of exception reports or
audit trails, BCP policy and or testing.

Reports and circulars issued by RBI for specific areas which also
need to be covered in the

IS Audit Scope:
Report of the Committee on Computer Audit (dated: April 2, 2002) Circular
on Information System Audit–A Review of Policies and Practices

(dated: April 30, 2004 (RBI/2004/191 DBS.CO.OSMOS.BC/ 11 /33.01.029/2003-04)

Defining Control Objectives and Activities

IT control objectives, based on well known frameworks can be included in the scope.
 Materiality

When conducting financial statement audits, Internal Auditors measure materiality in

monetary terms, since areas that are audited are also measured and reported in
monetary terms. However, since IS Auditors conduct audit on non-financial items,
alternative measures are required to assess materiality. Such assessments are a
matter of professional judgment. They include consideration of its effect on a bank as a
whole, of errors, omissions, irregularities and illegal acts, which may have happened as
a result of “internal control weaknesses” in an area being audited. ISACA IS Auditing
Guideline G6: specifies that if the IS Audit focus relates to systems or operations that
process financial transactions, the value of assets controlled by the system(s), or the
value of transactions processed per day/week/month/year, should be considered in
assessing materiality. In case, the focus is on systems that do not process financial
transactions, then following measures should be considered:

Criticality of the business processes supported by the system or operation

Cost of system or operation (hardware, software, staff, third-party services,

overheads or a combination of these)
Potential cost of errors (possibly in terms of irrecoverable development costs, cost
of publicity required for warnings, rectification costs, health and safety costs,
high wastage, etc.)

Number of accesses/transactions/inquiries processed per period

Nature, timing and extent of reports prepared, and files maintained

Service-level agreement requirements and cost of potential penalties

Penalties for failure to comply with legal and contractual requirements

IS Auditors should review the following additional areas that are

critical and high risk such as:

IT Governance and information security governance structures and

practices implemented by the Bank
Testing the controls on new development systems before
implementing them in live environment.

A pre-implementation review of application controls, including

security features and controls over change management process,
should be performed to confirm that:
 Controls in existing application are not diluted, while
migrating data to the new application
Controls are designed and implemented to meet
requirements of a bank’s policies and procedures, apart
from regulatory and legal requirements

Functionality offered by the application is used to meet

appropriate control objectives

A post implementation review of application controls should be

carried out to confirm if the controls as designed are implemented,
and are operating, effectively. Periodic review of application
controls should be a part of an IS audit scope, in order to detect
the impact of application changes on controls. This should be
coupled with review of underlying environment–operating system,
database, middleware, etc.–as weaknesses in the underlying
environment can negate the effectiveness of controls at the
application layer. Due care should be taken to ensure that IS
Auditors have access only to the test environment for performing
the procedures and data used for testing should be, as far as
practical, be a replica of live environment.

Detailed audit of SDLC process to confirm that security features

are incorporated into a new system, or while modifying an existing
system, should be carried out.

A review of processes followed by an implementation team to

ensure data integrity after implementation of a new application or
system, and a review of data migration from legacy systems to the
new system where applicable, should be followed.
IS Auditors may validate IT risks (identified by business teams)
before launching a product or service. Review by IS Auditor may
enable the business teams to incorporate additional controls, if
required, in the system before the launch.

Building Fraud Risk Perspective

In planning and performing an audit to reduce risks to a low level, the auditor should
consider the risk of irregularities and illegal acts. He should maintain professional
skepticism during an audit, recognising the possibility that “material mis-statements due
to irregularities and illegal acts” could exist, irrespective of their evaluation of risk of
irregularities and illegal acts.
IS Auditors are also required to consider and assess the risk of fraud, while performing
an audit. They should design appropriate plans, procedures and tests, to detect
irregularities, which can have a material effect on either a specific area under an audit,
or the bank as a whole. IS Auditors should consider whether internal control
weaknesses could result in material irregularities, not being prevented or detected. The
auditor should design and perform procedures to test the appropriateness of internal
control and risk of override of controls. They should be reasonably conversant with
fraud risk factors and indicators, and assess the risk of irregularities connected with the
area under audit.

In pursuance to the understanding gathered during threat identification step of the IT

Risk Assessment process, the auditors should identify control objectives and activities.
These are required to be tested to address fraud risk. He should consider “fraud
vulnerability assessments” undertaken by the “Fraud Risk Management Group”, while
identifying fraud risk factors in the IT risk assessment process. He should be aware that
certain situations may increase a bank’s vulnerability to fraud risk (e.g. introduction of a
new line of business, new products, new delivery channels and new applications or
systems.)

In preparing an audit scope, auditors should consider fraud risk

factors including these:
Irregularities and illegal acts that are common to banking industry
Corporate ethics, organisational structure, adequacy of supervision, compensation
and reward structures, the extent of performance pressures

Management's behavior with regard to ethics

Employee dissatisfaction resulting from potential layoffs, outsourcing, divestiture or
restructuring Poor financial or operational performance
Risk arising out of introduction of new products and processes
Bank's history of fraud
Recent changes in management teams, operations or IT systems
Existence of assets held, or services offered, and their susceptibility to irregularities
Strength of relevant controls implemented
Applicable regulatory or legal requirements
History of findings from previous audits
Findings of reviews, carried out outside the audit, such as the findings from external
auditors, consultants, quality assurance teams, or specific investigations
Findings reported by management, which have arisen during the day-to-day course
of

business
 Technical sophistication and complexity of the information system(s) supporting the
area under audit

Existence of in-house (developed or maintained) application systems, as compared

with the packaged software for core business systems

Instances of fraud should be reported to appropriate bank

stakeholders:

Frauds involving amounts of Rs 1 crore (and above) should be reported to Special

Committee formed to monitor and follow up large fraud cases

Other fraud cases should be reported to Fraud Review Councils or independent

groups formed to manage frauds
The status of fraud cases should be reported to Audit Committee as a part of their
review of IS audit
IS Auditors should also extend necessary support to Fraud Review Councils or
independent groups or Special Committees in their investigations

Planning the Execution

The IS Audit Head is responsible for the annual IS Audit Plan, prepared after
considering the risk assessment and scoping document. The plan covers overall audit
strategy, scoped areas, details of control objectives identified in the scoping stage,
sample sizes, frequency or timing of an audit based on risk assessment, nature and
extent of audit and IT resource skills availability, deployment and need for any external
expertise. A report on the status of planned versus actual audits, and any changes to
the annual audit plan, needs to be periodically presented to Audit Committee and
Senior Management on a periodic basis.

There are well-known guidance on IS Audit. The Institute of Chartered Accountants of

India (ICAI), in March 2009, published the “Standard on Internal Audit (SIA) 14: Internal
Audit in an Information Technology Environment” covering requirements of the planning
stage, which an auditor should follow. IIA has provided guidance on defining the IS
Audit Universe, through the guide issued on “Management of IS Auditing” under the
“Global Technology Audit Guide” series. ITGI has provided guidance on audit planning
in its “IT Assurance Guide using COBIT”.

Suggested guidelines for implementation by banks are as follows:

Documenting the Audit Plan

 The plan (either separately or as part of overall internal audit plan) should be a
formal document, approved by the Audit Committee initially and during any
subsequent major changes. The plan should be prepared so that it is in
compliance with any appropriate external requirements in addition to well-known
IS Auditing Standards.

Audit Plan Components include:

Internal Audit Subject: Name of the Audit Subject

Nature of Audit: Compliance with legal, regulatory or standards, performance

metrics assessment or security configuration testing

Schedule: Period of audit and its expected duration

Scoped Systems: Identified IT resources that are in the scope based on the risk
assessment process
System Overview: Details of System Environment based on the risk assessment
process
Audit Details: Details of risks and controls identified, based on the risk assessment
process
Nature and Extent of Tests: Controls testing for effectiveness of design and
implementation of controls, substantive testing for operating effectiveness of
controls implemented
Method of Internal Audit: Brief audit approach and methodology

Team and Roles and Responsibilities: Identified skills and names of IS Auditors
including their roles and responsibilities

Points of Contact: Contact names of auditee department

Co-ordination: Names of the project lead and higher official for escalation of

issues Information: Report details of past audits on the subject

Types Nature and Extent of Tests of

of Control testing that can be performed are
as below:
Test of Control Design: Controls that have been identified are evaluated for
appropriateness in mitigating the risks

Test of Control Implementation: Tests are performed to confirm that the control that
has been appropriately designed is implemented and is operating at the time of
 testing. Mitigating or compensating controls are also reviewed wherever
necessary

Assessing Operational Effectiveness of Controls: Wherever the controls designed

are found to be in operation, additional testing is performed for the period of
reliance (audit period) to confirm if they are operating effectively and consistently

On case-to -case basis, the auditor should exercise professional judgment and decide
the nature and extent of procedures that need to be adopted for conclusions. ISA 330
gives guidance on the nature, timing and extent of procedures.

iii. Sampling techniques

During an audit, auditors should obtain sufficient, reliable and relevant evidence to
achieve their objectives. Findings and conclusions should be supported by appropriate
analysis and interpretation. Auditors should consider sample selection techniques,
which result in a statistically-based representative sample for performing compliance or
substantive testing. Statistical sampling involves the use of techniques from which
mathematically-constructed conclusions regarding the population can be drawn. Non-
statistical sampling is not statistically -based. Its results should not be extrapolated over
the population as a sample is unlikely to be representative of the population. Examples
of compliance testing of controls where sampling could be considered, include user-
access rights, programme change control procedures, procedures documentation,
programme documentation, follow-up of exceptions, review of logs and software
licences audits. Examples of substantive tests where sampling could be considered,
include re-performance of a complex calculation (e.g., interest applied), on a sample of
accounts, sample of transactions to vouch to supporting documentation, etc.

Design of A Sample

While designing the size and structure of an audit sample, auditors

may consider the following guidelines:

– Sampling Unit: The unit will depend on the sample purpose.

For compliance testing of controls, attribute sampling is typically
used, where the unit is an event or transaction (e.g., a control
such as an authorisation of transaction).
– Audit objectives: IS Auditors should consider the audit
objectives to be achieved and the audit procedures, which are
most likely to achieve those objectives. In addition, when
sampling is appropriate, consideration should be given to the
 nature of the audit evidence sought, and possible error
conditions.

– Population: Population is an entire set of data from which

auditors wish to sample, in order to reach a conclusion. Hence,
the population from which a sample is drawn, has to be
appropriate and verified as a “complete” for audit objective.

– Stratification: To assist in efficient and effective design of a

sample, stratification may be appropriate.
Stratification is a process of dividing a population into “sub-populations” with similar

characteristics, explicitly defined, so that each sample unit can belong to only one

stratum.

Selection of A Sample

IS Auditors should use statistical sampling methods. They may

consider using the following:

– Random Sampling: It ensures that all combinations of units

in the population have an equal chance of selection

– Systematic Sampling: It involves selecting units using a

fixed interval between selections, the first interval having a
random start. Examples include “Monetary Unit Sampling” or
“Value Weighted Selection”, where each individual monetary
value (e.g., Rs 100) in the population, is given an equal chance
of selection. As an individual monetary unit cannot ordinarily be
examined separately, the item which includes that monetary unit
is selected for examination. This method systematically weighs
the selection in favour of the larger amounts, but gives every
monetary value an equal opportunity for selection. Another
example includes selecting every ‘nth sampling unit”.
 Standards and Frameworks

One challenge that the IS Auditors face is knowing what to audit against as a

fully-developed IT control baselines for applications and technologies that may

not have been developed.

Rapid evolution of technology is likely to render baselines useless, after a period of

time.

However, this does not detract from the concept of control objectives.

Control objectives, by definition, should remain more or less constant (from

environment to environment). Consider the objective that critical business data and
programmes should be backed up and recoverable. Now, each environment may do
that differently; backups could be manual, or automated, or a tool may be used. They
could be incremental only, or there may be complete backups of everything. Backups
could be done daily, weekly, or monthly. Storage of backups could be onsite in a
fireproof safe, off-site at another company facility, or outsourced to a third party. Method
used by the organisation to manage backups would certainly impact the audit
procedures and budget, but the control objective will not change. IS Auditor should be
able to start with a set of IT control objectives, and though not specific to particular
environments, select an appropriate framework.

Resource Management

A bank’s auditors play a critical role in efficiency and effectiveness of audits. IT

encompasses a wide range of technology and sophistication—the skill set needed to
audit a Firewall configuration is vastly different from the skill set needed to audit
application controls. It is critical to match the skills needed to perform a particular IS
Audit, with the appropriate auditor. IS Auditors should also have the appropriate
analytical skills to determine and report the root cause of deficiencies. Bank’s hiring and
training practices should ensure that it has qualified IS Auditors where education and
experience should be consistent with job responsibilities. Audit management should
also provide an effective programme of continuing education and development.

The main issue is having staff with the requisite range of IS Audit skills, needed to audit
an IS Audit universe, effectively. If internal expertise is inadequate, the Board should
consider using qualified external sources, such as management consultants,
independent auditors, or professionals, to supplement internal resources and support
bank's objectives.
 Executing IS Audit

As mentioned earlier, auditors must understand the business and IT environment, risks
and internal control framework. During audit, auditors should obtain evidences, perform
test

procedures, appropriately document findings, and conclude a report. This section

provides guidance on matters that IS Auditor should consider while executing the Plan.

ICAI, in March 2009, had published a “Standard on Internal Audit (SIA) 14: Internal
Audit in an Information Technology Environment” covering the requirements of
executing a plan that an IS
Auditor should follow. Additionally, IIA has also provided guidance in their “Management
of IS Auditing” under their “Global Technology Audit Guide” series. The ITGI has also
provided guidance on execution of assurance initiative in its “IT Assurance Guide Using
COBIT”.

Guidance on executing the IS Audit entails the following steps:

Refining the understanding of business process and IT environment

Refining the scope and identifying internal controls

Testing Control Design

Testing the outcome of the control objectives

Collecting audit evidence

Documenting test results

Concluding tests performed

Considering use of audit accelerators

Considering the use of Computer-Aided Automated Tools (CAATs)

Considering the work of others

Considering third-party review by service providers

The above are covered in the following sections:
 (a) Refine understanding of the business process and IT environment:

The first step of the execution stage is refining the understanding of an IT environment,
in which a review is being planned. This implies understanding of a bank’s business
processes to confirm the correct scope and control objectives. The scope of the IS
Audit need to be communicated to and agreed upon by stakeholders.

Output from this step consists of documented evidence regarding:

– Who performs the task(s), where it is performed and when

– Inputs required to perform the task and outputs generated by it

– Automated tasks performed by systems and system configurations

– System-generated information used by business

– Stated procedures for performing tasks

The IS Auditor can structure this step along the following lines:

Interview and use activity lists and RACI charts

Collect and read process description, policies, input or output, issues, meeting
minutes, past audit reports, past audit recommendations, business reports
Prepare a scoping task (process objective, goals and metrics)

Build an understanding of enterprise IT architecture

(b) Refining Scope and Identifying Internal Controls:

While understanding and evaluating internal controls of a bank, areas mentioned

under “Scope of IS Audit” needs to be covered. However, the nature and extent of
control risks may vary, depending on nature and characteristics of a bank’s
information system:

Reliance on systems or programmes that are inaccurately processing data, or

processing inaccurate data, or both

Unauthorised access to data which may result in destruction of data, or improper

changes to data, including recording of unauthorised or non-existent
transactions, or inaccurate recording of transactions
 Possibility of IT personnel gaining access to privileges, beyond those
necessary, to perform their assigned duties, thereby breaking down
segregation of duties

Unauthorised changes to data in master files

Unauthorised changes to systems or programmes

Failure to make necessary changes to systems or programmes

Inappropriate manual intervention

Potential loss of data or inability to access data

(c) Testing Control Design:

This section lists the different techniques that will be used in detailed audit steps.
Testing of controls is performed covering the main test objectives:

Evaluation of control design

Confirmation that controls are in place within the operation

Assess the operational effectiveness of controls

Additionally, control efficiency could be tested

In the testing phase, different types of testing can be applied. Five generic testing
methods include enquire and confirm, inspect, compare actual with expected findings,
re-perform or re-calculate and review automated evidence collection through analyzing
date using computer assisted audit techniques and extracting exceptions or key
transactions.

To assess the adequacy of the design of controls the following steps

should be performed:
– Observe, inspect and review control approach. Test the
design for completeness, relevance, timeliness and
measurability

– Enquire whether, or confirm that, the responsibilities for

control practices and overall accountability have been assigned
 – Test whether accountability and responsibilities are
understood and accepted. Verify that the right skills and the
necessary resources are available

– Enquire through interviews with key staff involved whether

they understand the control mechanism, its purpose and the
accountability and responsibilities.

IS Auditor must determine whether:

Documented control processes exist

Appropriate evidence of control processes exists

Responsibility and accountability are clear and effective

Compensating controls exist, where necessary

Additionally, specifically in internal audit assignments, cost-

effectiveness of a control design may also be verified, with the
following audit steps:
– If the control design is effective: Investigate whether it can
be made more efficient by optimising steps, looking for synergies
with other mechanisms, and reconsidering the balance of
prevention versus detection and correction. Consider the effort
spent in maintaining the control practices

– If the control is operating effectively: Investigate whether it

can be made more cost-effective. Consider analysing
performance metrics of activities associated, automation
opportunities or skill level

(d) Test the Outcome of Control Objectives

Audit steps performed ensure that control measures established are working as
prescribed and conclude on the appropriateness of the control environment. To test the
effectiveness of a control, the auditor needs to look for direct and indirect evidence of the
control’s impact on the process outputs. This implies the direct and indirect substantiation
of measurable contribution of the control to the IT, process and activity goals, thereby
recording direct and indirect evidence of actually achieving the outcomes or various
control objectives (based on those documented in standards like COBIT, as
 rel
evant).

The auditor should obtain direct or indirect evidence for selected items or periods to
ensure that the control under review is working effectively by applying a selection of
testing techniques as presented in step on test of control design. The IS Auditor should
also perform a limited review of the adequacy of the process deliverables, determine
the level of substantive testing and additional work needed to provide assurance that
the IT process is adequate. Substantive testing would involve performing analytical
procedures and tests of details, to gain assurance on areas where control weaknesses
are observed. Substantive testing is performed to ascertain the actual impact of control
weaknesses.

(e) Audit Evidence

IS Auditors should obtain sufficient and reliable audit evidence to draw reasonable
conclusions on which to base the audit results.

Sufficient Evidence: Evidence can be considered sufficient if it supports all material

questions in the audit objective and scope. Evidence should be objective and sufficient
to enable a qualified independent party to re-perform tests and obtain the same results.
The evidence should be commensurate with the materiality of an item and risks
involved. In instances where IS Auditor believes sufficient audit evidence cannot be
obtained, they should disclose this in a manner consistent with the communication of
the audit results.

Appropriate Evidence: Appropriate evidence shall include the following indicative

criteria:

Procedures as performed by the IS Auditor

Results of procedures performed by the IS Auditor
Source documents (electronic or paper), records and corroborating
information used to support the audit
Findings and results of an audit
When obtaining evidence from a test of control design, auditors should consider the
completeness of an audit evidence to support the assessed level of control risk.
Reliable Evidence: IS Auditors should take note of following examples of evidence that
is more reliable when it is:

– Written form and not oral expressions

– Obtained from independent sources

– Obtained by IS Auditors, rather than from the bank being audited

– Certifiedby an independent party

Procedures used to gather evidence can be applied through the use of manual audit
procedures, computer-assisted techniques, or a combination of both. For example: a
system, which uses manual control totals to balance data entry operations might
provide audit evidence that the control procedure is in place by way of an appropriately
reconciled and annotated report. IS Auditors should obtain audit evidence by reviewing
and testing this report. Detailed transaction records may only be available in machine-
readable format, requiring IS Auditors to obtain evidence using computer-assisted
techniques.

When information produced by a bank is used by auditors, they should obtain evidence
about the completeness and accuracy by the following means:

Performing tests of the operating effectiveness of controls over the production and
maintenance of information, to be used as audit evidence

Performing audit procedures directly on information to be used as audit evidence

Auditors should consider the following controls over production and maintenance of
information produced by a bank:

– Controls over the integrity, accuracy, and completeness of the source data

– Controlsover the creation and modification of the applicable report logic and
parameters

(f) Documentation

Audit evidence gathered should be documented and organised to support findings and
conclusions. IS Audit documentation is a record of the work performed and evidence
supporting findings and conclusions.

The potential uses of documentation:

 Demonstration of the extent to which the auditor has complied with professional
standards related to IS auditing

Assistance with audit planning, performance and review

Facilitation of third-party reviews

Evaluation of the auditors’ quality assurance programme

Support in circumstances such as insurance claims, fraud cases and lawsuits

Assistance with professional development of the staff

Documentation should include, at a minimum, a record of:

– Planning and preparation of the audit scope and objectives

– Audit steps performed and audit evidence gathered

– Audit findings, conclusions and recommendations

– Reports issued as a result of the audit work

– Supervisory review
Extent of an IS Auditor’s documentation may depend on needs for a
particular audit and should include such things as:
IS Auditor’s understanding of an area to be audited, and its environment

His understanding of the information processing systems and internal control

environment
Audit evidence, source of audit documentation and date of completion

Bank’s response to recommendations

Documentation should include audit information, required by law, government

regulations, or by applicable professional standards. Documentation should be clear,
complete and understandable, by a reviewer. IS Audit owns evidences documented by
them, in order to substantiate conclusions on tests performed and specific observations
reported to management and Audit Committee.

(g) Conclusion on Tests Performed

IS Auditors should evaluate conclusions drawn as a basis for forming an opinion on the
audit. Conclusions should be substantiated by evidences, collected and documented.
The IS Audit Team may be required to provide and maintain evidences in respect of
observations reported by them.

IS Auditors may perform following activities required to conclude on

tests performed based on nature and amount of identified control
failures and likelihood of undetected errors:

– Decide whether the scope of IS Audit was sufficient to

enable the auditors to draw reasonable conclusions on which to
base audit opinion

− Perform audit procedures designed to obtain sufficient appropriate audit evidence:

events upto the date of audit report may be included and identified in the report

− Prepare an audit summary memorandum documenting findings and conclusions

on important issues of IS Auditing and reporting, including judgments made by
an IS Audit team

− Obtain appropriate representations from bank management

− Prepare a report appropriate to circumstances, and in conformity with, applicable

professional standards and regulatory and legal requirements

Communicate, as necessary, with Audit Committee or Senior Management

Maintain effective controls over processing and distribution of reports relating to the
IS Audit

If audit evidence or information indicate that irregularities could have occurred, IS

auditors should recommend the bank management on matters that require detailed
investigation to enable the management to initiate appropriate investigative actions.
The auditors should also consider consulting the Audit Committee and legal counsel
about the advisability and risks of reporting the findings outside the Bank.

RBI (vide its circular DBS.CO.FrMC.BC.No.7/23.04.001/ 2009-10, dated: September

16, 2009) requires that fraud cases should be reported to law enforcement agencies
and to the RBI. Banks should appropriately include requirements for reporting to RBI, of
such instances, in engagement letters issued to external IS Auditors.
 (h) Audit Accelerators

Since IS Audit budgets can be difficult to estimate and manage, CAEs can consider
using testing accelerators—tools or techniques that help support procedures that the IS
Auditors will be performing —to increase efficiency and effectiveness. CAEs can use an
accelerator to do the same audit in less time, or do more detailed audit procedures in
the same amount of time. Audit accelerators can be divided into two categories:

– Audit Facilitators: Tools that help support the overall

management of an audit (e.g., an electronic workpaper
management tool)

– Testing Accelerators: Tools that automate the performance

of audit tests (e.g., data analysis tools).

Audit Facilitators

These include Electronic Workpapers, project management software, flow charting

software and open issue tracking software.

Testing Accelerators

Testing accelerators can automate time-consuming audit tasks, such as reviewing large
populations of data. Also, using a tool to perform audit procedures helps establish
consistency. For example, if a tool is used to assess server security configuration,
servers tested with that tool will be assessed along the same baselines. Performing
these procedures manually allows for a degree of interpretation on the part of the IS
Auditor. Lastly, the use of tools enables IS Auditors to test an entire population of data,
rather than just a sample of transactions. This provides for a much higher degree of
audit assurance.

Data Analysis Software: These allow an auditor to perform robust statistical analysis of
large data sets. They can also be used to support process or operational audits like
KYC reviews. They can support types of testing. One consideration when using a data
analysis tool is that it may be difficult to extract the data from the original source. It is
critical that audit procedures be performed to ensure the completeness and accuracy of
the source data.
Security Analysis Tools: These are a broad set of tools that can review a large
population of devices or users and identify security exposures. There are different types
of security analysis tools. Generally they can be categorised as follows:

Network Analysis Tools: These consist of software programmes that can be

run on anetwork and gather information about it. IS Auditors can use these tools
for a variety of audit procedures, including:

Verifying the accuracy of network diagrams by mapping corporate network

Identifying key network devices that may warrant additional audit attention

Gathering information about what traffic is permitted across a network (which would
directly support the IT risk assessment process).
Hacking Tools: Most technologies have a number of standard vulnerabilities,
such asthe existence of default IDs and passwords or default settings when the
technology is installed out-of-the-box. Hacking tools provide for an automated
method of checking for these. Such tools can be targeted against Firewalls,
servers, networks and operating systems.

Application Security Analysis Tools: If an organisation is using large

integratedbusiness application, key internal controls are highly security
dependent. Application-level security must be well-designed and built in
conjunction with the application’s processes and controls.

The CAE should be aware that most of these come with a set of pre-configured rules,
or vendortouted “best practices”. Implementation of one will need to be accompanied
by a substantive project to create a rule set that is relevant for that particular
organisation. Failure to do so will result in audit reports that contain a number of either
false-positives or false-negatives.

CAEs should be aware of the following considerations, with respect

to IS Audit Accelerators:

Tools cost money. The CAE should be sure that the benefits outweigh the costs

That IS Auditors will need to be trained on the new tool. It is not uncommon that a
tool sits unused in an Internal Audit Department
That the tool will need support, patch management and upgrades. Depending on
the quality, it may require a standalone server, as well. For this, any tool
selection should be managed with the IT department’s assistance

Sometimes, IT management or third -party service providers are not allowed tools to
access the production environment directly. They are instead asked to do so from a
copy of data from an alternative site, or standby server. Any use of tools or scripts
should be thoroughly discussed with and approved by IT management and be tested
fully before deploying.

(i) Computer-Assisted Audit Techniques (CAATS)

IS Auditors can use an appropriate combination of manual techniques and CAATs. IS

Audit function needs to enhance the use of CAATs, particularly for critical functions or
processes carrying financial or regulatory or legal implications. The extent to which
CAATs can be used will depend on factors such as efficiency and effectiveness of
CAATs over manual techniques, time constraints, integrity of the Information System
and IT environment and level of audit risk.

CAATs may be used in critical areas ( like detection of revenue leakage, treasury
functions, assessing impact of control weaknesses, monitoring customer transactions
under AML requirements and generally in areas where a large volume of transactions
are reported).

Process involved in using CAATs involve the following steps:

Set audit objectives of CAATs

Determine accessibility and availability of a bank’s IS facilities, programs, systems

and data
Define procedures to be undertaken (e.g., statistical sampling, recalculation, or
confirmation) Define output requirements

Determine resource requirements: i.e. personnel, CAATs, processing environment,

bank’s IS facilities or audit IS facilities

Obtain access to the bank’s IS facilities, programmes, systems and data, including
file definitions
Document CAATs to be used, including objectives, high-level flowcharts, and run
instructions
CAATs may be used to perform the following audit procedures
among others:
– Test of transactions and balances, such as recalculating
interest

– Analytical review procedures, such as identifying

inconsistencies or significant fluctuations
 – Compliance tests of general controls: testing set-up or
configuration of the operating system, or access procedures to
the programme libraries

– Sampling programmes to extract data for audit testing

– Compliance tests of application controls such as testing

functioning of a programmed control

– Re-calculating entries performed by the entity’s accounting

systems

– Penetration testing

In instances, where CAATs may be used to extract sensitive programmes, system

information or production data, IS Auditors should safeguard the programme, system
information or production data, with an appropriate level of confidentiality and security.
In doing so, IS Auditors should consider the level of confidentiality and security required
by the bank, owning the data and any relevant legislation. IS Auditors should be
provided with “view access” to systems and data. In case audit procedures cannot be
performed in the live environment, appropriate test environment should be made
available to IS Auditors. Systems and data under test environment should be
synchronised to the live environment.

IS Auditors should use and document results of appropriate procedures to provide for
ongoing integrity, reliability, usefulness and security of the CAATs. Example: this should
include a review of programme maintenance and change controls over embedded audit
software to determine that only authorised changes were made to the CAATs.

In instances where CAATs reside in an environment not under the control of the IS
Auditor, an appropriate level of control should, in effect, be placed to identify changes.
When the CAATs are changed, IS Auditors should obtain assurance of their integrity,
reliability, usefulness and security, through appropriate planning, design, testing,
processing and review of documentation, before placing their reliance.

(j) Continuous Auditing

Traditionally, testing of controls performed by an internal audit team was on a

retrospective and cyclical basis, often many months after business activities have
occurred. The testing procedures have often been based on a sampling approach.
They included activities such as reviews of policies, procedures, approvals and
reconciliations. Today, however, it is recognised that this approach only affords internal
auditors a narrow scope, and is often too late to be of “real value” to business
performance or regulatory compliance.

Continuous auditing is a method used to perform control and risk assessments

automatically on a more frequent basis using technology which is key to enabling such
an approach. Continuous auditing changes the audit paradigm from periodic reviews of
a sample of transactions to ongoing audit testing of 100 percent of transactions. It
becomes an integral part of modern auditing at many levels. It also should be closely
tied to management activities such as performance monitoring, scorecard or dashboard
and enterprise risk management.
A continuous audit approach allows internal auditors to fully understand critical control
points, rules, and exceptions. With automated, frequent analyses of data, they are able
to perform control and risk assessments in real time or near real time. They can
analyse key business systems for both anomalies at the transaction level and for data-
driven indicators of control deficiencies and emerging risk.

Finally, with continuous auditing, the analysis results are integrated into all aspects of
the audit process, from the development and maintenance of the enterprise audit plan
to the conduct and follow-up of specific audits. Depending on the level of
implementation and

sustenance of risk-based IS Audit approach; banks may explore implementation of

continuous auditing in critical areas in a phased manner.

(k) Application Control Audit:

Detailed pre-implementation application control audits and data migration audits in

respect of critical systems needs to be subjected to independent external audit.
Banks also need to conduct a postimplementation detailed application control audit.
Furthermore, banks should also include application control audits in a risk based
manner as part of the regular Internal Audit/IS Audit plans with focus on data
integrity (among other factors). General internal auditors with requisite functional
knowledge need to be involved along with the IS Auditors in the exercise to provide
the requisite domain expertise.
Some of the considerations in application control audit (based on
ISACA guidelines) include:

An IS Auditor should understand the IS environment to determine the size and

complexity of the systems, and the extent of dependence on information
systems by the bank
Application-level risks at system and data-level include, system integrity risks
relating to the incomplete, inaccurate, untimely or unauthorized processing of
data; system-security risks relating to unauthorized access to systems or data;
data risks relating to its completeness, integrity, confidentiality and accuracy;
system-availability risks relating to the lack of system operational capability; and
system maintainability risks in terms of adequate change control procedures.
Application controls to address the application-level risks may be in the form of
computerized controls built into the system, manually performed controls, or a
combination of both. Risks of manual controls in critical areas need to be
considered. Where the option to place reliance on programmed controls is
taken, relevant general IT controls should be considered, as well as controls
specifically relevant to the audit objective. Objectives should be developed to
address criteria such as integrity, availability, compliance, reliability and
confidentiality. Effectiveness and efficiency can also be additional criteria.

As part of documenting the flow of transactions, information gathered should include

both computerized and manual aspects of the system. Focus should be on data
input (electronic or manual), processing, storage and output which are of
significance to the audit objective.
Consideration should also be given to documenting application interfaces with other
systems. The auditor may confirm the documentation by performing procedures
such as a walk-through test.

Specific controls to mitigate application risks may be identified. Sufficient audit

evidence obtained to assure the auditor that controls are operating as intended
through procedures such as inquiry and observation, review of documentation
and testing of the application system controls, where programmed controls are
being tested. Use of computer-assisted audit techniques (CAATs) also needs to
be considered.
Nature, timing and extent of testing should be based on the level of risk to the area
under review and audit objectives. In absence of strong general IT controls, an
IS auditor may make an assessment of the effect of this weakness on the
reliability of the computerized application controls.

If an IS auditor finds significant weaknesses in the computerized application

controls, assurance should be obtained (depending on the audit objective), if
possible, from the manually performed processing controls.
 Effectiveness of computerized controls is dependent on general IT controls.
Therefore, if general IT controls are not reviewed, ability to place reliance on
controls may be limited. Then the IS Auditor should consider alternative
procedures.

Where weaknesses identified during the application systems review are considered

to be significant or material, appropriate level of management should be advised

to undertake immediate corrective action.

Using the Work of Others

Purpose of an IS Audit standard is to establish and provide a guidance to auditors who

can use the work of experts on an audit. The following are standards, to test the
reliability of the work of an expert:

IS Auditors should, where appropriate, consider using the work of other experts for
audit
They should assess, and then be satisfied with professional qualifications,
competencies, relevant experience, resources, independence and quality control
processes, prior to engagement

They should assess, review and evaluate work of experts, as a part of an audit, and
then conclude the extent of use and reliance of the work
They should determine and conclude whether the work of experts is adequate and
competent to enable them to conclude on current audit objectives. Such
conclusion should be documented

They should apply additional test procedures to gain and include scope limitation,
where required evidence is not obtained through additional test procedures
An expert could be an IS Auditor from external auditing firm, a management
consultant, an IT domain expert, or an expert in the area of audit, who has been
appointed by management or by the IS Audit Team

An expert could be internal or external to the bank. If an expert is engaged by

another part of the organisation, reliance may be place on the banks' report. In
some cases, this may reduce the need of an IS Audit coverage, though IS
Auditors do not have supporting documentation and work papers. IS Auditors
should be cautious in providing an opinion on such cases

An IS Auditor should have access to all papers, supporting documents and reports
of other experts, where such access does not create legal issues. Where access
 creates legal issues, or such papers are not accessible, auditors should
determine and conclude on the extent of use and reliance on expert’s work

The IS Auditor’s views, relevance and comments on adopting the expert’s report
should form a part of the IS Auditor’s Report

Third Party Review of Service Providers

A bank may use a third-party service provider (service organisation) to obtain services
of packaged software applications and technology environment, which enables
customers to process financial and operational transactions (ATM management,
networking and infrastructure development and maintenance, document imaging and
indexing, software development and maintenance). RBI has issued “Guidelines on
Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks”
(circular no:DBOD.NO.BP.40/21.04.158/ 2006-07 dated November 3,
2006), asking banks to adhere toguidelines before outsourcing activities related to
financial services.
Services provided by a third party are relevant to the scope of IS Audit. Especially,
when those services and controls within them, are a part of the bank’s information
systems. Though controls at the service organisation are likely to relate to financial
reporting, there may be other controls that may also be relevant to the IS Audit
(controls over safeguarding of assets or document images).

A service organisation’s services are a part of a bank’s information

system, including related business processes, relevant to IS Audit if
these services affect any of the following:

Segments of Information System that are significant to the bank’s IS operations

Procedures within information system, by which an user entity’s transactions are

initiated, recorded, processed, corrected (when necessary), transferred to a

general ledger and reported, in financial statements

The way events and conditions, other than transactions, significant to bank’s
Information System are captured

IS Auditors will have to obtain an understanding of how a bank uses

services of a service organisation in the bank’s IS operations,
including:
 Nature of services provided by the organisation and significance of those to the
bank’s information system, including the effect thereof on the bank’s internal
control

Nature and materiality of transactions, accounts or financial reporting processes,

affected by the service organisation
Degree of interaction between activities of the organisation and bank

Nature of relationship between the bank and organisation, including relevant

contractual terms for activities undertaken by the organisation

In situations, services provided by the organisation may not appear to be “material” to

the bank’s IS operations. But, the service nature may be. IS Auditors should determine
that an understanding of those controls is necessary in the circumstances.
Information on the natureof services, provided by an organisation,
may be available from a variety of sources:

User manual

System overview

Technical manuals

Contract or service-level agreement between the bank and organisation

Reports by service organisation, internal auditors, or regulatory authorities, on

service organisation controls
Reports by an auditor of the organisation (service auditor), including management
letters

IS Auditors may use a service auditor to perform procedures such as tests of controls

at service organisation, or substantive procedures on the bank’s IS operations, served

Reporting and
Follow-up
by a service organisation. 5)

This phase involves reporting audit findings to the CAE and Audit Committee. Before
reporting the findings, it is imperative that IS Auditors prepare an audit summary
memorandum providing overview of the entire audit processing from planning to audit
findings, discuss the findings with auditee and obtain responses. Additionally, reviewing
the actions taken by management to mitigate the risks observed in audit findings and
appropriately updating the audit summary memorandum is also important. Reporting
entails deciding the nature, timing and extent of follow-up activities and planning future
audits.

Professional bodies like ISACA, IIA, ICAI have issued guidance in this regard.

Reporting and follow-up entails following activities or steps:

– Drafting audit summary and memorandum

– Discussing findings with management

– Finalising and submitting reports

– Reviewing the Actions taken report

– Undertaking follow-up procedures

– Archiving documents

These are covered in the following sections:

Audit Summary and Memorandum: An IS Auditor should perform audits or reviews

of control procedures and form a conclusion about, and reporting on, the design
and operating effectiveness of the control procedures based on the identified
criteria. The conclusion for an audit is expressed as a positive expression of
opinion and provides a high level of assurance. The conclusion for a review is
expressed as a statement of negative assurance and provides only a moderate
level of assurance.

Discuss Findings with Management: Bank’s management is responsible for

deciding the appropriate action to be taken in response to reported observations
and recommendations. IS Auditors are responsible for assessing such
management action for appropriateness and the timely resolution of the matters
reported as observations and recommendations.

Senior Management may decide to accept the risk of not correcting the reported
condition because of cost or other considerations. The Board (or the Audit
Committee, if one exists) should be informed of Senior Management’s decision on
significant observations and recommendations. When Auditors IS believes that an
 organisation has accepted a level of residual risk that is inappropriate for the
organisation, they should discuss the matter with Internal Audit and Senior
Management. If the IS Auditors are not in agreement with the decision, regarding
residual risk, IS Auditors and Senior Management should report the matter to the
Board, or Audit Committee, for resolution.

Events sometimes occur, subsequent to the point in time or period of time of the
subject matter being tested, but prior to the date of the IS Auditor’s report, that have
a material effect on the subject matter and therefore require adjustment or
disclosure in the presentation of the subject matter or assertion.

Finalise and Submit

(c)
Reports
IS Auditors should review and assess the conclusions
drawn from the evidence obtained as the basis for forming an opinion on the
effectiveness of the control procedures based on the identified criteria.

Major findings identified during an audit should have a definite time line indicated for
remedial actions, these should be followed up intensively and compliance should be
confirmed.

An IS Auditor’s report about the effectiveness of control procedures

should cover aspects like:

– Description of the scope of the audit, including:

– Identification or description of the area of activity

– Criteria used as a basis for the IS Auditor’s conclusion

– A statement that the maintenance of an effective internal control structure,

including control procedures for the area of activity, is the responsibility of
management

– A statement that IS Auditors have conducted the engagement to express

an opinion on the effectiveness of control

(d) Review Action Taken

Report
After reporting of findings and recommendations, IS Auditors should request and
evaluate relevant information to conclude whether appropriate action has been taken
by management in a timely manner. If management’s proposed actions to implement
reported recommendations have been discussed with, or provided to, the IS Auditor,
these actions should be recorded as a management response in the final report. The
nature, timing and extent of the follow-up activities should take into account the
significance of the reported finding and the impact if corrective action is not taken. The
timing of IS Audit follow-up activities in relation to the original reporting should be a
matter of professional judgment dependent on a number of considerations, such as the
nature or magnitude of associated risks and costs to the entity.

(e) Follow-up
Procedures
Procedures for follow-up activities should be
established which includes:

– The recording of a time frame within which management

should respond to agreed-upon recommendations

– An evaluation of management’s response

– A verification of the response, if thought appropriate

– Follow-up work, if thought appropriate

– A communications procedure that escalates outstanding

and unsatisfactory responses/ actions to the appropriate levels
of management

– A process for providing reasonable assurance of

management’s assumption of associated risks, in the event that
remedial action is delayed or not proposed to be implemented

– An automated tracking system or database can assist in the

carrying out of follow-up
Update Audit Summary
activities.
Memorandum
(f)

An audit summary memorandum should be prepared and addresses

the following:
– Conclusion about specific risk

–Changes in the bank, its environment and banking industry that come to the attention
after the completion of the audit planning memorandum and that caused to change
audit plan –Conclusion regarding the appropriateness of the going concern assumption
and the effect, if any, on financial statements

–The result of subsequent reviews and conclusion regarding the effect of subsequent
events on financial statements

–Conclusion reached in evaluation of misstatements, including disclosure deficiencies

–If contradiction or inconsistency with final conclusion regarding a significant matter is

observed, there should be proper documentation of addressing the inconsistency –
Conclusion of whether the audit procedures performed and the audit evidence obtained
were appropriate and consistent to support the audit conclusion

Archival of
(g)
Documents

Banks are recommended to have an archiving/ retention policy to archive the audit
results.

Banks to have an archiving policy that:

– Ensures integrity of the data

– Defines appropriate access rights

– Decides on the appropriate archiving media

– Ensures ease of recovery

Quality Review

This section is aimed at emphasising quality of work of IS Auditors, while performing

duties as an auditor. Appropriate levels in IS Audit function are recommended to assess
audit quality by reviewing documentation, ensuring appropriate supervision of IS Audit
members and assessing whether IS Audit members have taken due care while
performing their duties. This will bring efficiency, control and improve quality of the IS
Audit.

Evidences and Documentation

IS Auditors may perform the following progressive reviews of the

evidences and documentation:
 – A detailed review of each working paper prepared by a less-
experienced member of the IS Audit team, by a more
experienced member, who did not participate in the preparation
of such working paper

– A primary review of the evidences and documentation by the

Manager or IS Audit Head. Where the manager performs a
primary review, this does not require that each working paper be
reviewed in detail by the manager, as each working paper has
already been reviewed in detail by the person who performed the
detailed review.
– An overriding review of the working papers by the CAE, as
needed

Supervision

IS Audit staff should be supervised to provide reasonable assurance that audit

objectives are accomplished and applicable professional auditing standards are met.

Due Care

The standard of “due care” is that level of diligence which a prudent and competent
person would exercise under a given set of circumstances. “Due professional care”
applies to an individual who professes to exercise a special skill such as IS auditing.
Due professional care requires the individual to exercise that skill to a level commonly
possessed by auditors with the specialty.

Due professional care applies to the exercise of professional judgment in the conduct
of work performed. It implies that the professional approaches matters requiring
professional judgment with proper diligence. Despite the exercise of due professional
care and professional judgment, situations may arise where an incorrect conclusion
may be drawn from a diligent review of the available facts and circumstances.
Therefore, the subsequent discovery of incorrect conclusions does not, in and of itself,
indicate inadequate professional judgment or lack of diligence on the part of the IS
Auditor.

Due professional care should extend to every aspect of the audit, including the
evaluation of audit risk, the formulation of audit objectives, the establishment of the
audit scope, the selection of audit tests, and the evaluation of test results.
In doing this, IS Auditors should determine or evaluate:

Type and level of audit resources required to meet audit objectives

Significance of identified risks and the potential effect of such risks on the audit

Audit evidence gathered

Competence, integrity and conclusions of others upon whose work IS Auditors

places reliance

Intended recipients of audit reports have an appropriate expectation that IS Auditors

have exercised due professional care throughout the course of the audit. IS Auditors
should not accept an assignment unless adequate skills, knowledge, and other
resources are available to complete the work in a manner expected of a professional.
IS Auditors should conduct the audit with diligence while adhering to professional
standards. IS Auditors should disclose the circumstances of any non compliance with
professional standards in a manner consistent with the communication of the audit
results.

Independent Assurance of the Audit function

With a view to provide assurance to bank’s management and regulators, banks are
required to conduct a quality assurance, at least once in three years, on the bank's
Internal Audit, including IS Audit function, to validate approach and practices adopted
by them in the discharge of its responsibilities as laid out in the Audit Policy.

Objectives of performing a quality assessment are:

Assess efficiency and effectiveness of an Internal Audit for current and future
business goals
Determine value addition from Internal Audit to the business units
Benchmark, identify and recommend, successful practices of Internal Audit

Assess compliance to standards for professional practice of Internal Audit

Others:

As a matter of prudence, banks should rotate IS Auditors in a specific area on periodic

basis,
An information system (IS) audit or information technology(IT) audit is an examination
of the controls within an entity's Information technology infrastructure. These reviews
may be performed in conjunction with a financial statement audit, internal audit, or
other form of attestation engagement. It is the process of collecting and evaluating
evidence of an organization's information systems, practices, and operations. Obtained
evidence evaluation can ensure whether the organization's information systems
safeguard assets, maintains data integrity, and are operating effectively and efficiently
to achieve the organization's goals or objectives.

An IS audit is not entirely similar to a financial statement audit. An evaluation of internal

controls may or may not take place in an IS audit. Reliance on internal controls is a
unique characteristic of a financial audit. An evaluation of internal controls is necessary
in a financial audit, in order to allow the auditor to place reliance on the internal
controls, and therefore, substantially reduce the amount of testing necessary to form an
opinion regarding the financial statements of the company. An IS audit, on the other
hand, tends to focus on determining risks that are relevant to information assets, and in
assessing controls in order to reduce or mitigate these risks. An IT audit may take the
form of a "general control review" or an "specific control review". Regarding the
protection of information assets, one purpose of an IS audit is to review and evaluate
an organization's information system's availability, confidentiality, and integrity by
answering the following questions:

1. Will the organization's computerized systems be available for the

business at all times when required? (Availability)

2. Will the information in the systems be disclosed only to authorized users?

(Confidentiality)

3. Will the information provided by the system always be accurate, reliable,

and timely?
(Integrity).

The performance of an IS Audit covers several facets of the financial and

organizational functions of our Clients. The diagram to the right gives you an overview
of the Information Systems Audit flow: From Financial Statements to the Control
Environment and Information Systems Platforms.

Information Systems Audit Methodology

Our methodology has been developed in accordance with International Information

Systems Audit
Standards e.g ISACA Information Systems Audit Standards and Guidelines and the
Sabarne Oxley COSO Standard. The beginning point of this methodology is to carry
out planning activities that are geared towards integrating a Risk Based Audit Approach
to the IS Audit.

PHASE 1: Audit Planning

In this phase we plan the information system coverage to comply with the audit
objectives specified by the Client and ensure compliance to all Laws and Professional
Standards. The first thing is to obtain an Audit Charter from the Client detailing the
purpose of the audit, the management responsibility, authority and accountability of the
Information Systems Audit function as follows:
1. Responsibility: The Audit Charter should define the mission, aims, goals
and objectives of the Information System Audit. At this stage we also define the
Key Performance Indicators and an Audit Evaluation process;

2. Authority: The Audit Charter should clearly specify the Authority assigned
to the Information Systems Auditors with relation to the Risk Assessment work
that will be carried out, right to access the Client’s information, the scope and/or
limitations to the scope, the Client’s functions to be audited and the auditee
expectations; and

3. Accountability: The Audit Charter should clearly define reporting lines,

appraisals, assessment of compliance and agreed actions.

The Audit Charter should be approved and agreed upon by an appropriate level within
the Client’s Organization.

See Template for an Audit Charter/ Engagement Letter here.

In addition to the Audit Charter, we should be able to obtain a written representation

(“Letter of Representation”) from the Client’s Management acknowledging:

1. Their responsibility for the design and implementation of the Internal

Control Systems affecting the IT Systems and processes

2. Their willingness to disclose to the Information Systems Auditor their

knowledge of irregularities and/or illegal acts affecting their organisation
pertaining to management and employees with significant roles within the
internal audit department.
 3. Their willingness to disclose to the IS Auditor the results of any risk
assessment that a material misstatement may have occurred

See a Template for a Letter of Representation here.

PHASE 2 – Risk Assessment and Business Process Analysis

Risk is the possibility of an act or event occurring that would have an adverse effect on
the organisation and its information systems. Risk can also be the potential that a given
threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or
damage to, the assets. It is ordinarily measured by a combination of effect and
likelihood of occurrence.

More and more organisations are moving to a risk-based audit approach that can be
adapted to develop and improve the continuous audit process. This approach is used
to assess risk and to assist an IS auditor’s decision to do either compliance testing or
substantive testing. In a risk based audit approach, IS auditors are not just relying on
risk. They are also relying on internal and operational controls as well as knowledge of
the organisation. This type of risk assessment decision can help relate the cost/benefit
analysis of the control to the known risk, allowing practical choices.

The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in
making decisions such as:

1. The area/business function to be audited

2. The nature, extent and timing of audit procedures

3. The amount of resources to be allocated to an audit

The following types of risks should be considered:

Inherent Risk: Inherent risk is the susceptibility of an audit area to error which could be
material, individually or in combination with other errors, assuming that there were no
related internal controls. In assessing the inherent risk, the IS auditor should consider
both pervasive and detailed IS controls. This does not apply to circumstances where
the IS auditor’s assignment is related to pervasive IS controls only. A pervasive IS
Control are general controls which are designed to manage and monitor the IS
environment and which therefore affect all IS-related activities. Some of the pervasive
IS Controls that an auditor may consider include:

• The integrity of IS management and IS management experience and knowledge

• Changes in IS management
 • Pressures on IS management which may predispose them to conceal or
misstate information (e.g. large business-critical project over-runs, and hacker
activity)

• The nature of the organisation’s business and systems (e.g., the plans for
electronic commerce, the complexity of the systems, and the lack of integrated
systems)

• Factors affecting the organisation’s industry as a whole (e.g., changes in

technology, and IS staff availability)

• The level of third party influence on the control of the systems being audited
(e.g., because of supply chain integration, outsourced IS processes, joint business
ventures, and direct access by customers)

• Findings from and date of previous audits

A detailed IS control is a control over acquisition, implementation, delivery and support

of IS systems and services. The IS auditor should consider, to the level appropriate for
the audit area in question:

• The findings from and date of previous audits in this area

• The complexity of the systems involved

• The level of manual intervention required

• The susceptibility to loss or misappropriation of the assets controlled by the

system (e.g., inventory, and payroll)

• The likelihood of activity peaks at certain times in the audit period

• Activities outside the day-to-day routine of IS processing (e.g., the use of

operating system utilities to amend data)

• The integrity, experience and skills of the management and staff involved in
applying the IS controls

Control Risk: Control risk is the risk that an error which could occur in an audit area,
and which could be material, individually or in combination with other errors, will not be
prevented or detected and corrected on a timely basis by the internal control system.
For example, the control risk associated with manual reviews of computer logs can be
high because activities requiring investigation are often easily missed owing to the
volume of logged information. The control risk associated with computerised data
validation procedures is ordinarily low because the processes are consistently applied.
The IS auditor should assess the control risk as high unless relevant internal controls
are:
Identified

• Evaluated as effective

• Tested and proved to be operating appropriately

Detection Risk: Detection risk is the risk that the IS auditor’s substantive procedures
will not detect an error which could be material, individually or in combination with other
errors. In determining the level of substantive testing required, the IS auditor should
consider both:

• The assessment of inherent risk

• The conclusion reached on control risk following compliance testing

The higher the assessment of inherent and control risk the more audit evidence the IS
auditor should normally obtain from the performance of substantive audit procedures.

Our Risk Based Information Systems Audit Approach

A risk based approach to an Information Systems Audit will enable us to develop an
overall and effective IS Audit plan which will consider all the potential weaknesses
and /or absence of Controls and determine whether this could lead to a significant
deficiency or material weakness.

In order to perform an effective Risk Assessment, we will need to understand the

Client’s Business Environment and Operations. Usually the first phase in carrying out a
Risk Based IS Audit is to obtain an understanding of the Audit Universe. In
understanding the Audit Universe we perform the following:

• Identify areas where the risk is unacceptably high

• Identify critical control systems that address high inherent risks

Assess the uncertainty that exists in relation to the critical control systems

In carrying out the Business Process Analysis we:

• Obtain an understanding of the Client Business Processes

 • Map the Internal Control Environment

• Identify areas of Control Weaknesses

The Chat to the right summarises the business process analysis phase.

The template xxx will provide you with a guideline to document an Organisations
Business Sub
Processes identified during the risk analysis phase.For each of the sub-processes, we
identify a list of What Could Go Wrong (WCGW). This WCGW represent the threat
existing on a particular process. A single process would have multiple WCGW’s. For
each of the WCGW’s identified in the prior phase we will determine the Key Activities
within that process.For each Key Activity:

1. We will identify the Information Systems Controls

2. For each of the Controls Identified, we would rate the impact/effect of the
lack of that control (on a rating of 1 - 5, with 5 indicating the highest impact),we
will then determine the likelyhood of the threat occuring( also on a rating of 1 - 5
with 5 representing the highest likelyhood).

<< Outline specific risk assessment methodology here>>

PHASE 3 – Performance of Audit Work

In the performance of Audit Work the Information Systems Audit Standards require us t
o provide supervision, gather audit evidence and document our audit work. We achieve
this objective through:
Establishing an Internal Review Process where the work of one person is
reviewed by another, preferably a more senior person.

• We obtain sufficient, reliable and relevant evidence to be obtained through

Inspection,
Observation, Inquiry, Confirmation and recomputation of calculations

• We document our work by describing audit work done and audit evidence
gathered to support the auditors’ findings.

Based on our risk assessment and upon the identification of the risky areas, we move
ahead to develop an Audit Plan and Audit Program. The Audit Plan will detail the
nature, objectives, timing and the extent of the resources required in the audit.

See Template for a Sample Audit Plan.

Based on the compliance testing carried out in the prior phase, we develop an audit
program detailing the nature, timing and extent of the audit procedures. In the Audit
Plan various Control Tests and Reviews can be done. They are sub-divided into:

1. General/ Pervasive Controls

2. Specific Controls

The Chat below to the left shows the Control Review Tests that can be performed in the
two Control Tests above.

Control Objectives for Information and related Technology (COBIT)

The Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information (IT) management created by the Information
Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)
in 1992.

COBIT provides managers, auditors, and IT users with a set of generally accepted
measures, indicators, processes and best practices to assist them in maximizing the
benefits derived through the use of information technology and developing appropriate
IT governance and control in a company.
COBIT helps meet the multiple needs of management by bridging the gaps
between business risks, control needs and technical issues. It provides a best
practices framework for managing IT resources and presents management control
activities in a manageable and logical structure. This framework will help optimise
technology information investments and will provide a suitable benchmark measure.
The Framework comprises a set of 34 high-level Control Objectives, one for each of
the IT processes listed in the framework. These are then grouped into four domains:
planning and organisation, acquisition and implementation, delivery and support,
and monitoring. This structure covers all aspects of information processing and
storage and the technology that supports it. By addressing these 34 high-level
control objectives, we will ensure that an adequate control system is provided for
the IT environment. A diagrammatic representation of the framework is shown
below.

We shall apply the COBIT framework in planning, executing and reporting the
results of the audit. This will enable us to review the General Controls Associated
with IT Governance Issues. Our review shall cover the following domains;
• Planning and organisation of information resources;

• The planning and acquisition of systems and path in stage growth model
of information systems;

• The delivery and support of the IS/IT including facilities, operations,

utilisation and access;

• Monitoring of the processes surrounding the information systems;

• The level of effectiveness, efficiency, confidentiality, integrity, availability,

compliance and reliability associated with the information held in; and

• The level of utilisation of IT resources available within the environment of

the IS including people, the application systems of interface, technology,
facilities and data.

The above control objectives will be matched with the business control objectives to
apply specific audit procedures that will provide information on the controls built in
the application, indicating areas of improvement that we need to focus on achieving.

Application Control Review

An Application Control Review will provide management with reasonable assurance

that transactions are processed as intended and the information from the system is
accurate, complete and timely. An Application Controls review will check whether:

• Controls effectiveness and efficiency

• Applications Security
 • Whether the application performs as expected

A Review of the Application Controls will cover an evaluation of a transaction life

cycle from Data origination, preparation, input, transmission, processing and output
as follows:

1. Data Origination controls are controls established to prepare and

authorize data to be entered into an application. The evaluation will involve a
review of source document design and storage, User procedures and
manuals, Special purpose forms, Transaction ID codes, Cross reference
indices and Alternate documents where applicable. It will also involve a
review of the authorization procedures and separation of duties in the data
capture process.

2. Input preparation controls are controls relating to Transaction numbering,

Batch serial numbering, Processing, Logs analysis and a review of
transmittal and turnaround documents

3. Transmission controls involve batch proofing and balancing, Processing

schedules,
Review of Error messages, corrections monitoring and transaction security

4. Processing controls ensure the integrity of the data as it undergoes the

processing phase including Relational Database Controls, Data Storage and
Retrieval

5. Output controls procedures involve procedures relating to report

distribution, reconciliation, output error processing, records retention.

The use of Computer Aided Audit Techniques (CAATS) in the

performance of an IS Audit

The Information Systems Audit Standards require us that during the course of an
audit, the IS auditor should obtain sufficient, reliable and relevant evidence to
achieve the audit objectives. The audit findings and conclusions are to be supported
by the appropriate analysis and interpretation of this evidence. CAATs are useful in
achieving this objective.
Computer Assisted Audit Techniques (CAATs) are important tools for the IS auditor
in performing audits.They include many types of tools and techniques, such as
generalized audit software, utility software, test data, application software tracing
and mapping, and audit expert systems.For us, our CAATs include ACL Data
Analysis Software and the Information Systems Audit Toolkit(ISAT).

CAATs may be used in performing various audit procedures including:

• Tests of details of transactions and balances(Substantive Tests)

• Analytical review procedures

• Compliance tests of IS general controls

• Compliance tests of IS application controls

CAATs may produce a large proportion of the audit evidence developed on IS audits
and, as a result, the IS auditor should carefully plan for and exhibit due professional
care in the use of CAATs.The major steps to be undertaken by the IS auditor in
preparing for the application of the selected CAATs are:

• Set the audit objectives of the CAATs

• Determine the accessibility and availability of the organisation’s IS

facilities, programs/system and data

• Define the procedures to be undertaken (e.g., statistical sampling,

recalculation, confirmation, etc.)

• Define output requirements

• Determine resource requirements, i.e., personnel, CAATs, processing

environment
(organisation’s IS facilities or audit IS facilities)

• Obtain access to the clients’s IS facilities, programs/system, and data,

including file definitions

• Document CAATs to be used, including objectives, high-level flowcharts,

and run instructions  Make appropriate arrangements with the Auditee and

ensure that:
 1. Data files, such as detailed transaction files are retained and made
available before the onset of the audit.

2. You have obtained sufficient rights to the client’s IS facilities,

programs/system, and data

3. Tests have been properly scheduled to minimise the effect on the

organisation’s production environment.
4. The effect that changes to the production programs/system have been
properly consideered.

See Template here for example tests that you can perform with ACL

PHASE 4: Reporting

Upon the performance of the audit test, the Information Systems Auditor is required
to produce and appropriate report communicating the results of the IS Audit. An IS
Audit report should:

1. Identify an organization, intended recipients and any restrictions on

circulation

2. State the scope, objectives, period of coverage, nature, timing and the
extend of the audit work

3. State findings, conclusions, recommendations and any reservations,

qualifications and limitations

4. Provide audit evidence

The Information Systems (IS) audit group assesses the University's critical systems,
technology architecture and processes to assure information assets are protected,
reliable, available and compliant with University policies and procedures, as well as
applicable laws and regulations. We emphasize the importance of mitigating
security risks during our audit coverage of the University’s application, operating
and networking systems. Through our integrated and IT governance audits, we
evaluate information technology’s impact on the University’s processes and its
abilities to achieve its goals and objectives. Our evaluations are objective and
professional, utilizing COBIT (Control Objectives for Information and related
Technology) framework, an international standard for good IT control practices.

ISA provides the following audit services:

• IT Governance - IT governance audits include reviewsof the organization’s

fiduciary responsibility in satisfying the quality of IT delivery services while aligning
with the business objectives and establishing an adequate system of internal
controls.
• Information Systems - Information systems audits focus on security controls of
physical and logical security of the server including change control, administration
of server accounts, system logging and monitoring, incident handling, system
backup and disaster recovery.
• Integrated Audits - Integrated audits include reviews of the business operations
and their dependency of automated systems to support the business process. We
consider information technology and financial and operational processes as
mutually dependent for establishing an effective and efficient control environment.
From the technology perspective, the audit focuses on application controls,
administration of user access, application change control and backup and recovery
to assure reliability, integrity and availability of the data.
• Control Self-assessments - Control Self-assessments are designed for
department that manages and operates a technology environment. These self-
assessment tools can be used to identify potential areas of control weakness in the
management of the technology environment.  Compliance - Compliance audits
include University policies and procedures, Payment Card Industry (PCI), the
Health Insurance Portability and Accountability Act (HIPAA), Family Education
Rights and Privacy Act (FERPA) and any other applicable laws and regulations.
IT & LEGAL ISSUES

Introduction

Basel Committee on Banking Supervision, in its “Consultative Document on

Operational Risk”, defines “operational risk” as the risk of direct, or indirect, loss
resulting from inadequate or failed internal processes, people and systems, or
from external events. This definition includes legal risk1.

The Information Technology Act, 2000 (IT Act, 2000) was enacted to handle
certain issues relating to Information Technology. The IT Amendment Act, 2008
has made further modifications to address more issues such as cyber crimes. It
 is critical that impact of cyber laws is taken into consideration by banks to
obviate any risk arising there from.

A. Guidance for Banks

Roles and Responsibilities and Organizational Structure

Board: The Risk Management Committee at the Board-level needs to put in

place, the processes to ensure that legal risks arising from cyber laws are
identified and addressed. It also needs to ensure that the concerned functions
are adequately staffed and that the human resources are trained to carry out the
relevant tasks in this regard

Operational Risk Group: This group needs to incorporate legal risks as part of
operational risk framework and take steps to mitigate the risks involved in
consultation with its legal functions within the bank.

Legal Department: The legal function within the bank needs to advise the
business groups on the legal issues arising out of use of Information Technology
with respect to the legal risk identified and referred to it by the Operational Risk
Group.

Computer related offences and Penalty/Punishment

The IT Act, 2000 as amended, exposes the banks to both civil 2and
criminal3liability. The civil liability could consist of exposure to pay damages by
way of compensation upto 5 crore under the amended Information Technology
Act before the Adjudicating Officer and beyond five crore in a court of competent
jurisdiction. There could also be exposure to criminal liability to the top
management of the banks given the provisions of Chapter XI of the amended IT
Act4and the exposure to criminal liability could consist of imprisonment for a term
which could extend from three years to life imprisonment as also fine. Further,
various computer related offences are enumerated in the aforesaid provisions.

Critical aspects

Legal risk and operational risk are same. Most risks are sought to
be covered by documentation, particularly where the law is silent.
The Basel-II accord

http://www.bis.org/publ/bcbsca07.pdf

Sections 43-45

Sections 65-74

Section 85

covers “legal risk” under “operational risk.” Documentation forms an

important part of the banking and financial sector. For many,
documentation is a panacea to the legal risks that may arise in
banking activities. But then, it has also been realized and widely
acknowledged that loopholes do exist in documentation.

Legal risks need to be incorporated as part of operational risks and

the position need to be periodically communicated to the top
management and Board/Risk Management Committee of the Board.

As the law on data protection and privacy, in the Indian context are in
an evolving stage, banks have to keep in view the specific provisions
of IT Act, 2000 (as amended in 2008), various judicial and quasi
judicial pronouncements and related developments in the Cyber laws
in India as part of legal risk mitigation measures. Banks are also
required to keep abreast of latest developments in the IT Act, 2000
and the rules, regulations, notifications and orders issued there under
pertaining to bank transactions and emerging legal standards on
digital signature, electronic signature, data protection, cheque
truncation, electronic fund transfer etc. as part of overall operational
risk management process.
 The Information Technology (Amendment) Act, 2008
The main Indian act that addresses legal challenges specifically as they relate to
the Internet is the Information Technology (Amendment) Act, 2008, or for short, the
IT Act. We highlight the sections that have the greatest relevance for the Internet
and democracy. This includes sections relating to government takedowns,
monitoring and interception of communication and intermediary liability.

Section 69A and the Blocking Rules: Allowing the Government to block
content under certain circumstances

Section 69A of the IT (Amendment) Act, 2008, allows the Central Government to
block content where it believes that this content threatens the security of the State;
the sovereignty, integrity or defence of India; friendly relations with foreign States;
public order; or to prevent incitement for the commission of a cognisable offence
relating to any of the above. A set of procedures and safeguards to which the
Government has to adhere when doing so have been laid down in what have
become known as the Blocking Rules.

• Section 79 and the IT Rules: Privatising censorship in India

Section 79 of the Information Technology (Amendment) Act, 2008 regulates the

liability of a wide range of intermediaries in India. The section came in the limelight
mostly because of the infamous Intermediary Guidelines Rules, or IT Rules, which
were made under it. The IT Rules constitute an important and worrying move
towards the privatisation of censorship in India.

• Sections 67 and 67A: No nudity, please

The large amounts of ‘obscene’ material that circulate on the Internet have long
attracted comment in India. Not surprsingly, then, in the same way as obscenity is
prohobited offline in the country, so it is online as well. The most important tools to
curtail it are sections 67 and 67A of the IT Act, prohibiting obscene and sexually
explicit material respectively.

• Section 66A: Do not send offensive messages

Section 66A of the Information Technology (Amendment) Act, 2008 prohibits the
sending of offensive messages though a communication device (i.e. through an
online medium). The types of information this covers are offensive messages of a
menacing character, or a message that the sender knows to be false but is sent for
the purpose of ‘causing annoyance, inconvenience, danger, obstruction, insult,
injury, criminal intimidation, enmity, hatred, or ill will.’ If you’re booked under Section
66A, you could face up to 3 years of imprisonment along with a fine.
• Freedom of expression

To balance freedom of expression with other human rights is, at times, a difficult
and delicate task. From hate speech to intermediary liability, we tease out and shed
greater light on the various challenges that make this task particularly complicated,
proposing ways forward that can further strengthen and promote the right to
freedom of expression, in India and beyond, as well.

• Cyber security, surveillance and human rights

With the advent of new technology, new security threats have emerged for people,
businesses and states. Oftentimes, responses to such threats, including states’
exercise of their unprecedented power to surveil their populations, have been
criticised for their negative impact on human rights. Can security and human rights
no longer be reconciled in the Internet age?

The Information Technology (Amendment) Act, 2008 an act to amend the IT Act
2000 received the assent of the President on 5th February 2009. Several legal &
security experts are in the process of analyzing the contents and possible impacts
of the amendments. The objective of this note is to try and study the possible
implications and impacts on Indian companies. This note is not intended to be a
comprehensive analysis of the amendments, but only certain key points which could
impact Indian Companies
Data Protection
The IT Act 2000 did not have any specific reference to Data Protection, the closet
being a provision to treat data vandalism as an offense. The Government
introduced a separate bill called “Personal Data Protection Act 2006” which his
pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two
sections which address Data Protection aspects to an extent, which gives rise to
certain key considerations for the sector.
The sections under consideration are:
Section 43A: Compensation for failure to protect data
Section 72A: Punishment for disclosure of information in breach of lawful contract
Section 43A states
Where a body corporate, possessing, dealing or handling any sensitive personal
data or information in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to the
person so affected.
By way of explanation: "Body corporate means Indian companies"
"Reasonable security practices mean a mutual contract between the customer and
service provider OR as per the specified law. In absence of both then as specified
by the Central Government
Hence it would be important for Indian companies to seriously look at SLA’s and
agreements which have been signed with clients to understand the data protection
implications. The same goes for understanding the applicable laws.
A major modification is that this clause doesn’t mention the compensation limit of
Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that
there is no upper limit for damages that can be claimed. This essentially is
“unlimited liability” for Indian companies, which could cause serious business
implications.
Section 72A:
Under this section disclosure without consent exposes a person including an
"intermediary" to three years imprisonment of fine upto Rs. Five lacs or both.
This section uses the term “personal information” and not “sensitive personal
information” as in section 43A. Hence it could apply to any information which is
obtained in order to deliver services. Hence in some ways broadens the definition of
information.
2. Information Preservation
Across the amendments there are several references to “service providers” or
“intermediaries”, which in some form would apply to all Indian companies.
e.g. Section 67C: Preservation and Retention of information by intermediaries.
Intermediary shall preserve and retain such information as may be specified for
such duration and in such manner and format as the Central Government may
prescribe”. Any intermediary who intentionally or knowingly contravenes the
provisions shall be punished with an imprisonment for a term which may extend to 3
years and shall also be liable to fine.
The notifications on time for preservation etc. are not yet released. However since
this is a “cognizable” offense any police inspector can start investigations against
the CEO of a company.
Apart from the two aspects discussed in this note, there are other areas which could
also be considerations for E.g.
Sec 69: Power to issue directions for interception or monitoring or decryption of any
information through any computer resource.
Sec 69B: Power to authorize to monitor and collect traffic data or information
through any computer resource for Cyber Security.etc.
In summary, IT Risk management and response needs to be looked at by all
companies for various reasons including customer assurance, compliance,
customer regulations, protection of information assets etc. The ITA 2008
amendments provide us with few additional factors for considerations which could
have significant impact on business. Information technology regulations and laws
would only get more stringent and defined; hence it’s imperative for organizations to
be aware and prepared.

Additional Information:
Information Technology (Amendment) Act, 2008

BRIEF HISTORY
The Indian Information Technology Act 2000 (“Act”) was a based on the Model Law
on Electronic Commerce adopted by the United Nations Commission on
International Trade Law[1]; the suggestion was that all States intending to enact a
law for the impugned purpose, give favourable consideration to the said Model Law
when they enact or revise their laws, in view of the need for uniformity of the law
applicable to alternatives to paper-based methods of communication and storage of
information. Thus the Act was enacted to provide legal recognition for transactions
carried out by means of electronic data interchange and other means of electronic
communication, commonly referred to as "electronic commerce", which involved the
use of alternatives to traditional or paper-based methods of communication and
storage of information, to facilitate electronic filing of documents with the
Government agencies. Also it was considered necessary to give effect to the said
resolution and to promote efficient delivery of Government services by means of
reliable electronic records. The Act received the assent of the President on the 9th
of June, 2000.Disclaimer
While every effort has been made by me to avoid errors or omissions in this
publication, any error ordiscrepancy noted may be brought to my notice throughr e-
mail to
[email protected] shall be taken care of in the subsequent
editions. It is also suggested that toclarify any doubt colleagues should cross-check
the facts, laws and contents of this publication with original Govt. / RBI /
Manuals/Circulars/Notifications/Memo/Spl Comm. of our bank. Blog for
updates: https://iibfadda.blogspot.com/
The Act was subsequently and substantially amended in 2006 and again in 2008
citing the following objectives:

• With proliferation of information technology enabled services such as e-

governance, ecommerce and e-transactions, protection of personal data and
information and implementation of security practices and procedures relating
to these applications of electronic communications have assumed greater
importance and they require harmonization with the provisions of the
Information Technology Act. Further, protection of Critical Information
Infrastructure is pivotal to national security, economy, public health and
safety, so
it has become necessary to declare such infrastructure as a protected
system so as to restrict its access.
• A rapid increase in the use of computer and internet has given rise to new
forms of crimes like publishing sexually explicit materials in electronic form,
video voyeurism and breach of confidentiality and leakage of data by
intermediary, e-commerce frauds like personation commonly known as
Phishing, identity theft and offensive messages through communication
services. So, penal provisions are required to be included in the Information
 Technology Act, the Indian Penal Code, the Indian Evidence Act and the
Code of Criminal Procedure to prevent such crimes.
• The United Nations Commission on International Trade Law (UNCITRAL) in
the year 2001 adopted the Model Law on Electronic Signatures. The General
Assembly of the United Nations by its resolution No. 56/80, dated 12th
December, 2001, recommended that all States accord favorable
consideration to the said Model Law on Electronic Signatures. Since the
digital signatures are linked to a specific technology under the existing
provisions of the Information Technology Act, it has become necessary to
provide for alternate technology of electronic signatures for bringing
harmonization with the said Model Law.
• The service providers may be authorized by the Central Government or the
State Government to set up, maintain and upgrade the computerized
facilities and also collect, retain appropriate service charges for providing
such services at such scale as may be specified by the Central Government
or the State Government.

EXTENT APPLICABILITY OF THE ACT

The Act extends to the whole of India, save as otherwise provided in this Act. It can
also apply to any offence or contravention provided for in the Act,
whether committed in India & outside India by any person, if the
act or conduct constituting the offence involves a computer,
computer system or computer network located in India .

The main provisions of the Act come in to force on the 9 th of June 2000. Certain
provisions were given effect on later dates by issuing specific notifications in this
regards.

The Act shall not apply to documents or transactions specified in the First Schedule.
Every notification issued to amend the first schedule shall be laid before each
House of Parliament. Presently, the First schedule contains the following entries:

1. A negotiable instrument (other than cheque) as defined in negotiable

instrument Act, 1881.
2. Power of Attorney as defined in P-O-A Act, 1882.
3. A trust as defined in Indian Trusts Act, 1882.
 4. A will as defined in Indian Succession Act, 1925 including any other
testamentary disposition by whatever name called.
5. Any contract for sale or conveyance of immovable property or any interest in
such property.

For this purpose every notification issued by the Central Government to add, amend
or delete any item mentioned in the schedule as a pre-requisite place before both
houses of the Parliament for their scrutiny and approval.

The provisions of the Act have an overriding effect, notwithstanding anything

inconsistent therewith contained in any other law for the time being in force.

DEFINITIONS

In this Act, unless the context otherwise requires, —

a. "access" with its grammatical variations and cognate expressions means
gaining entry into, instructing or communicating with the logical, arithmetical,
or memory function resources of a computer, computer system or computer
network;
b. "addressee" means a person who is intended by the originator to receive the
electronic record but does not include any intermediary;
c. "adjudicating officer" means an adjudicating officer appointed under
subsection (1) of section
46;
d. "affixing electronic signature" with its grammatical variations and cognate
expressions means adoption of any methodology or procedure by a person
for the purpose of authenticating an electronic record by means of electronic
signature;
e. "appropriate Government" means as respects any matter,—

i. Enumerated in List II of the Seventh Schedule to the Constitution;

relating to any State law enacted under List III of the Seventh Schedule to the
ii.
Constitution, the
State Government and in any other case, the Central Government;

f. "asymmetric crypto system" means a system of a secure key pair consisting

of a private key for creating a electronic signature and a public key to verify
the electronic signature;
 g. "Certifying Authority" means a person who has been granted a licence to
issue a Electronic
Signature Certificate under section 24;
h. "certification practice statement" means a statement issued by a Certifying
Authority to specify the practices that the Certifying Authority employs in
issuing Electronic Signature
Certificates;
i. "computer" means any electronic magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network;
j. "Computer Network" means the interconnection of one or more Computers or
Computer systems or Communication device through- —

i.the use of satellite, microwave, terrestrial line, wire, wireless or other

communication media; and

terminals or a complex consisting of two or more interconnected computers or

ii.
communication device whether or not the interconnection is continuously
maintained;

k. "computer resource" means computer, computer system, computer network,

data, computer data base or software;
l. "computer system" means a device or collection of devices, including input
and output support devices and excluding calculators which are not
programmable and capable of being used in conjunction with external files,
which contain computer programmes, electronic instructions, input data and
output data, that performs logic, arithmetic, data storage and retrieval,
communication control and other functions;
m. "Controller" means the Controller of Certifying Authorities appointed under
sub-section (l) of section 17;
n. "Cyber Appellate Tribunal" means the Cyber Appellate Tribunal established
under subsection (1) of section 48;
(na). “cyber café” means any facility from where access to the internet is offered by
any person in the ordinary course of his business to the members of the public;

(nb). "Cyber Security" means protecting information, equipment, devices, computer,

computer resource, communication device and information stored therein from
unauthorized access, use, disclosure, disruption, modification or destruction.

o. "data" means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a formalised
manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network, and may be in any
form (including computer printouts magnetic or optical storage media,
punched cards, punched tapes) or stored internally in the memory of the
computer;
p. "digital signature" means authentication of any electronic record by a
subscriber by means of an electronic method or procedure in accordance
with the provisions of section 3;
q. "digital Signature Certificate" means a Digital Signature Certificate issued
under subsection (4) of section 35;
r. "electronic form" with reference to information means any information
generated, sent, received or stored in media, magnetic, optical, computer
memory, micro film, computer generated micro fiche or similar device;
s. "Electronic Gazette" means the Official Gazette published in the electronic
form;
t. "electronic record" means data, record or data generated, image or sound
stored, received or sent in an electronic form or micro film or computer
generated micro fiche;

(ta). "electronic signature" means authentication of any electronic record by a

subscriber by means of an electronic technique specified in the Second schedule
and includes a digital signature;

(tb). "Electronic Signature Certificate" means an Electronic Signature Certificate

issued under section 35 and includes a Digital Signature Certificate.
 u. "function", in relation to a computer, includes logic, control arithmetical
process, deletion, storage and retrieval and communication or
telecommunication from or within a computer;
v. "information" includes data, message, text, images,
sound, voice, codes,computer programmes, software and
databases or micro film or computer generated micro fiche:
w. "intermediary" with respect to any particular electronic record, means any
person who on behalf of another person receives, stores or transmits that
record or provides any service in respect to that record and includes telecom
service providers, network service providers, internet service providers, web-
hosting service providers, search engines, online payment sites, online
auction sites, online market places and cyber cafes;
x. "key pair", in an asymmetric crypto system, means a private key and its
mathematically related public key, which are so related that the public key
can verify a electronic signature created by the private key;
y. "law" includes any Act of Parliament or of a State Legislature, Ordinances
promulgated by the President or a Governor, as the case can be.
Regulations made by the President under article 240, Bills enacted as
President's Act under sub-clause (a) of clause (1) of article 357 of the
Constitution and includes rules, regulations, byelaws and orders issued or
made thereunder;
z. "licence" means a licence granted to a Certifying Authority under section 24;

(za). "originator" means a person who sends, generates, stores or transmits any
electronic message or causes any electronic message to be sent, generated, stored
or transmitted to any other person but does not include an intermediary;
(zb). "prescribed" means prescribed by rules made under this Act;

(zc). "private key" means the key of a key pair used to create a electronic signature;

(zd). "public key" means the key of a key pair used to verify a electronic signature
and listed in the Electronic Signature Certificate;

(ze). "secure system" means computer hardware, software, and procedure that—

a. are reasonably secure from unauthorised access and misuse;

b. provide a reasonable level of reliability and correct operation;

c. are reasonably suited to performing the intended functions; and

d. adhere to generally accepted security procedures;

(zf). "security procedure" means the security procedure prescribed under section 16
by the Central Government;

(zg). "subscriber" means a person in whose name the Electronic Signature

Certificate is issued;

(zh). "verify" in relation to a electronic signature, electronic record or public key, with
its grammatical variations and cognate expressions means to determine whether—

a. the initial electronic record was affixed with the electronic signature by the use of
private key corresponding to the public key of the subscriber;

b. the initial electronic record is retained intact or has been altered since such
electronic record was so affixed with the electronic signature.

Any reference in the Act to any enactment or any provision thereof shall, in relation
to an area in which such enactment or such provision is not in force, is to be
construed as a reference to the corresponding law or the relevant provision of the
corresponding law, if any, in force in that area.

SECTION 3 - AUTHENTICATION OF ELECTRONIC RECORDS BY

USE OF DIGITAL SIGNATURE

AUTHENTICATION OF ELECTRONIC RECORDS

The Act provides that the authentication of the electronic record can be effected by
the use of asymmetric crypto system and hash function which envelop and
transform the initial electronic record into another electronic record.

A "hash function" is an algorithm mapping or translation of one sequence of bits

into another, generally smaller, set known 'as "hash result" such that an electronic
record yields the same hash result every time the algorithm is executed with the
same electronic record as its input making it computationally infeasible—

a. to derive or reconstruct the original electronic record from the hash result
produced by the algorithm;
b. that two different electronic records can produce the same hash result using
the algorithm.
The record can be accessed by the use of public key of the subscriber. The private
key and the public key are unique to the subscriber and constitute a functioning key
pair.
SECTION 3A - AUTHENTICATION OF ELECTRONIC RECORDS BY
USE OF ELECTRONIC SIGNATURE.

A subscriber can authenticate any electronic record by such an electronic signature

or an electronic authentication technique which is considered reliable and may be
specified in the schedules. In order for the electronic signature to be reliable

a. The signature creation data or authentication data are, within the context
they are used, linked to the signatory, or as the case may be, the
authenticator and to no other person;
b. The signature creation data or authentication data were, at the time of
signing, under the control of the signatory or, as the case may be, the
authenticator and to no other person;
c. Any alteration to the electronic signature made after affixing such signature is
detectable.
d. Any alteration to the information made after its authentication by electronic
signature is detectable.
e. It fulfills other prescribed conditions.

The Central Government can prescribe the procedure for the purpose of
ascertaining who has affixed the signature. The Central Government can also, by
notification in the Official Gazette, add or omit any reliable electronic signature or
electronic authentication technique or the procedure for affixing the same. The
notification of such method or procedure is required to be placed before both
houses of the Parliament.

ELECTRONIC GOVERNANCE & LEGAL RECOGNITION OF

ELECTRONIC RECORDS & ELECTRONIC SIGNATURES

SECTION 4 - ELECTRONIC RECORDS

Where any law provides that information or any other matter shall be in writing or in
the typewritten or printed form, then, notwithstanding anything contained in such
law, such requirement shall be deemed to have been satisfied if such information or
matter is—

a. rendered or made available in an electronic form; and

 b. accessible so as to be usable for a subsequent reference.

SECTION 5 - LEGAL RECOGNITION OF ELECTRONIC

SIGNATURES

Where any law requires that information or any other matter shall be authenticated
by affixing the signature or any document shall be signed or bear the signature of
any person then, notwithstanding anything contained in such law, such requirement
will be deemed to have been satisfied, if such information or matter is authenticated
by means of electronic signature affixed in such manner as prescribed by the
Central Government.

SECTION - 6 FOUNDATION OF ELECTRONIC GOVERNANCE

Where any law provides for the filing of any form, application or any other document
with any authority, agency, owned or controlled by the appropriate Government in a
particular manner, Or it provides for the issue or grant of any licence, permit,
sanction or approval or the receipt or payment of money in a particular manner,
then, notwithstanding anything contained in any other law for the time being in
force, such requirement is deemed to have been satisfied if such filing, issue, grant,
receipt or payment, as the case may be, is effected by means of such electronic
form as prescribed by the appropriate Government. The appropriate Government is
empowered to prescribe rules regarding the manner and the format, in which such
electronic records shall be filed, created or issued and the manner or method of
payment of any fee for creating, filing or issuing such record.
SECTION 9 - NO RIGHT TO INSIST DOC. TO BE IN ELECTRONIC
FORM.

NO Person is conferred the right to insist the Government or any body funded or
controlled by it upon accepting, issuing, creating, retaining and preserving any
document in the form of electronic records or effecting any monetary transaction in
the electronic form.

SECTION 7 - RETENTION OF RECORDS:

Where any law provides that documents, records or information be retained for a
specific period, then the requirement will be said to have been met if the documents
are retained in electronic format and if the information contained therein remains
accessible so as to be usable for subsequent reference in the format it was
originally created, generated, sent or received or in a format which can be
demonstrated to represent accurately the information originally generated, sent or
received, including the details of the identification of the origin, destination, dispatch
or receipt of such electronic record are available in the electronic record. These
conditions however do not apply to electronic documents which are generated
automatically, solely for the purpose of enabling an electronic record to be retention
of documents, records or information in the form of electronic records.

SECTION 7A - AUDIT OF DOCUMENTS IN ELECTRONIC FORM:

Where the audit of documents, records or information is required to be conducted

under any law, the same shall also be applicable for audit of documents, records or
information processed and maintained in electronic form.

SECTION 8 - PUBLICATION OF RULE, REGULATION, ETC., IN

ELECTRONIC GAZETTE:

Where any law provides that any rule, regulation, order, bye-law, notification or any
other matter will be published in the Official Gazette, then, such requirement is
deemed to have been satisfied if such rule, regulation, etc is published in the Official
Gazette or Electronic Gazette and the date of publication in such an Electronic
Gazette is deemed to be the date of the Gazette which was first published in any
form.

SECTION 10 - POWER TO MAKE RULES BY CENTRAL

GOVERNMENT IN RESPECT OF ELECTRONIC SIGNATURE:

The Central Government is empowered to prescribe the type of electronic

signature, the manner and format in which the electronic signature will be affixed so
as to facilitate the identification of the person affixing the electronic signature. The
Government will also prescribe the control processes and procedures to ensure
adequate integrity, security and confidentiality of electronic records or payments;
and any other matter which is necessary to give legal effect to electronic signatures.

In case of a contract, where the contract formation, the communication of

proposals, the acceptance or revocation of the proposals, as the case may be, are
expressed in electronic form or by means of an electronic record, the enforceability
of the record will not be denied solely on the grounds that such electronic form or
means were used to contract.

SECTION 11 - ATTRIBUTION OF ELECTRONIC RECORDS.

An electronic record can be attributed to the originator, if it can be demonstrated

that it was sent by the originator himself or by a person authorised by the originator
in respect of that electronic record; or by an information system programmed to
operate automatically in this regards.
SECTION 12 - ACKNOWLEDGMENT OF RECEIPT

Where the originator (sender) & addressee (recipient) have not settled the manner
and form in which the addressee is to acknowledge the of receipt of the electronic
record, then in such a case the addressee will acknowledge the receipt of the
electronic record either by communicating such receipt, through automated or other
means; or by way of conduct of the addressee to indicate to the originator that the
electronic record has been received.
Where the originator has stipulated that the electronic record will be binding only on
receipt of an acknowledgment of such electronic record by him, then in such a case,
unless the addressee sends such an acknowledgment and the originator receives
the same, it will be assumed that the electronic record was never sent.

Where the originator has not stipulated that the electronic record will be binding only
on receipt of such acknowledgment, and the acknowledgment has not been
received by the originator within a reasonable time or a agreed period, then the
originator can give notice to the addressee stating that no acknowledgment has
been received by him and specifying a reasonable time by which the
acknowledgment must be received by him and if an acknowledgment is not
received within the aforesaid time limit he can after giving notice to the addressee,
treat the electronic record as though it has never been sent.

SECTION 13 - TIME AND PLACE OF DESPATCH AND RECEIPT OF

ELECTRONIC RECORD

The Originator and the addressee can agree to the time and place of receipt of the
electronic record. Generally, unless otherwise agreed to the contrary by the
originator and the addressee, when an electronic record enters a computer
resource outside the control of the originator or when it enters the computer
resource of the addressee, it is deemed to have been dispatched.

If the addressee has designated a specific computer resource and the electronic
record is sent to such a designated computer resource, then when the electronic
record enters the designated computer resource is deemed to be the time of
receipt. If instead of sending to the designated computer resource of the addressee,
the originator sends to another computer resource then receipt occurs at the time
when the electronic record is retrieved by the addressee from such a computer
resource. These would apply even if the place where the computer resource is
located in a different place.

An electronic record is deemed to "be dispatched at the place where the originator
has his place of business, and is deemed to be received at the place where the
addressee has his place of business inspite of the computer resources are located
at any other place.
It is possible that the originator or the addressee may have more than one place of
business, in such a case the principal place of business, will be the place of
business for the purpose of receipt and despatch. If the originator or the addressee
does not have a place of business, his usual place of residence will be deemed to
be the place of business, in the case the addressee or the originator is a body
corporate, then such usual place will be the place where such a body corporate is
registered.

SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC

SIGNATURES

SECTION 14 - SECURE ELECTRONIC RECORD

Where any security procedure is applied to an electronic record, at a specific point

of time, then from such point onwards up to the time of verification, the record is
deemed to be a secure electronic record.

SECTION 15 - SECURE ELECTRONIC SIGNATURE

An electronic signature is unique to the subscriber. Once the signature is affixed to

an electronic record it can be used to identify the subscriber. It is presumed to be
under the exclusive control of the subscriber. The signature signifies the time when
it is affixed to an electronic record and the manner in which the signature was
created. If any one tries to alter such a signed electronic record, then the signature
gets invalidated. An electronic signature will be deemed to be secure if it can be
proved that, it was under the exclusive control of the signatory at the time of affixing
and the signature data (private key) was stored and affixed in the specified manner.

SECTION 16 - SECURITY PROCEDURE

The Central Government is empowered to prescribe the security procedure and

practices considering the commercial circumstances, nature of transactions and
such other related factors.
REGULATION OF CERTIFYING AUTHORITIES

SECTION 17 - APPOINTMENT OF CONTROLLER AND OTHER

OFFICERS

The Central Government is empowered to appoint a Controller of Certifying

Authorities (“CCA”) and such number of Deputy Controllers and Assistant
Controllers, other officers and employees. Such an appointment of the Controller,
Deputy & Assistant Controllers is to be notified in the Official Gazette The Controller
discharges his functions under this Act subject to the general control and directions
of the Central Government. The Deputy Controllers (“Dy CA”) and Assistant
Controllers (“ACA”), other officers and employees in turn, perform the functions
assigned to them by the Controller under the general superintendence and control
of the Controller. Such assigned/ delegated functions are assigned by the CCA to
the Dy CA & ACA in writing.

The Central Government can prescribe the requirements pertaining to the

qualifications, experience and terms and conditions of service of CCA, the Dy CA
and the ACA, other officers and employees. Further it can also require that the
Head Office and Branch Office of the Controller will be at / established at all such
places as specified by the Central Government. The Act provides that there will be a
seal of the Office of the Controller.

SECTION 18 - FUNCTIONS OF CONTROLLER

The primary function of the CCA is to regulate the Certifying Authorities(“CA”). For
the purpose of regulating the CA the CCA may perform all or any of the following
functions, namely:—

• certifying public keys of the Certifying Authorities;

• laying down the standards to be maintained by the Certifying Authorities;
• specifying the qualifications and experience which employees of the
Certifying Authorities should possess;
• specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
• specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a Digital
Signature Certificate and the public key;
• specifying the form and content of a Digital Signature Certificate and the key,
• specifying the form and manner in which accounts shall be maintained by the
Certifying
Authorities;
• specifying the terms and conditions subject to which auditors may be
appointed and the remuneration to be paid to them;
• facilitating the establishment of any electronic system by a Certifying
Authority either solely or jointly with other Certifying Authorities and
regulation of such systems;
 • specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscribers;
• resolving any conflict of interests between the Certifying Authorities and the
subscribers;
• laying down the duties of the Certifying Authorities;
• maintaining a data base containing the disclosure record of every Certifying
Authority containing such particulars as may be specified by regulations,
which shall be accessible to public.

SECTION 19 - RECOGNITION OF FOREIGN CERTIFYING

AUTHORITIES

The CCA, with the prior approval of the Central Government and subject to the
conditions and restrictions specified in this regards by regulations, by notification in
the Official Gazette, can recognize any foreign CA as a CA for the purposes of this
Act. Once a foreign CA is granted recognition by the CCA, an Electronic Signature
Certificate (“ESC”) issued by such Certifying Authority will be valid for the purposes
of this Act.
If any foreign CA who has been granted recognition by the CCA and if the CCA is
satisfied that such a CA has contravened any of the conditions or restrictions
subject to which the CA was granted recognition under by the CCA, then the CCA
after recording the reasons in writing, revoke such recognition by notification in the
Official Gazette.

SECTION 21 - LICENCE TO ISSUE ELECTRONIC SIGNATURE

CERTIFICATES

Any person can obtain a license to issue an ESC by making an application to the
CCA. After receiving the application the CCA verifies whether or not such an
applicant has satisfied the eligibility criteria, as specified by the Central Government
in respect of qualification, expertise, manpower, financial resources and other
infrastructure facilities. Once the eligibility of the applicant is ascertained, the CCA
issues a license to the applicant. The licensee is thereafter subject such terms and
conditions as are provided for in the regulations issued in this regards. Any license
granted under this section is valid for such period as can be provided for by the
Central Government. It may be noted that such a license is not transferable or
inheritable.

SECTION 22 - APPLICATION FOR LICENSE:

Every application is required to be in the prescribed form. Along with the application
the applicant is also required to file:
 • a certification practice statement;
• a statement including the procedures with respect to identification of the
applicant;
• payment of such fees, not exceeding twenty-five thousand rupees (as
prescribed by the Central Government);
• such other documents, as can be prescribed from time to time by the Central
Government

An application for renewal of a license is also required to be in the prescribed form

accompanied by such fees, which cannot exceed five thousand rupees and has to
be made at least forty-five days before the date of expiry of the period of validity of
the existing license.

The CCA can, on receipt of an application, after considering the documents

accompanying the application and such other factors, as the CCA deems fit, grant
the license or reject the application. The applicant is granted a reasonable
opportunity of presenting his case to the CCA before his application is rejected.

SECTION 25 - SUSPENSION OF LICENCE

If the CCA, after making an inquiry is satisfied that a CA has

• made an incorrect or false statement in his application for the issue or

renewal of licence;
• failed to comply with the terms and conditions subject to which the licence
was granted;
• has not maintained the standards required to be followed under this Act;
• contravened any provisions of this Act, rule, regulation or order made there
under

then after giving a reasonable opportunity to show cause against the proposed
revocation, revoke the license. In the alternative, pending such an inquiry, if the
CCA is of the opinion that there exist circumstances for the revocation of the license
of the CA, then the CCA can suspend the license till the completion of the inquiry.
The period of suspension cannot however exceed a period of 10 days unless the
CA has been given a reasonable opportunity of showing cause against the
proposed suspension. The CA is barred from issuing any ESCs during his
suspension period.

After making an inquiry into an allegation of default and after giving the defaulting
CA a reasonable opportunity of being heard, if the CCA is satisfied that the license
of the CA need to be suspended or revoked, he can proceed against the CA and
suspend or revoke his license. The notice of such an action of suspension or
revocation, as the case may be, by the CCA is required to be published in the
database and all the repositories maintained by the CCA. The CCA is required also
make available such a notice of suspension or revocation of license, through a
website which is accessible round the clock. If considered appropriate by the CCA
he may publicise the contents of database in appropriate electronic or other media.
The CCA can delegate or authorize the Dy. CA or the ACA to exercise any of its
power in respect of the regulation of Certified Authorities.

ACCESS TO COMPUTERS AND DATA

Without prejudice to the provisions of sub-section (1) of section 69, the CCA or any
person authorized by him will, if he has reasonable cause to suspect that the
provisions related to regulation of CAs, rules or regulations made there under, are
being contravened, then they can search or access any computer system, any
apparatus, data or any other material connected with such system to obtain any
information or data contained in or available to such computer system. In doing so
they can direct any person in charge of, or otherwise concerned with the operation
of, the computer system, data apparatus or material, to provide such reasonable
technical and other assistance as the investigating authority may consider
necessary.

POWER TO INVESTIGATE CONTRAVENTIONS.

The CCA or any officer authorised by him for this purpose can investigate into any
contravention of the provisions of this Act, rules or regulations made thereunder. For
the purpose of investigating the contraventions under this Act, the CCA or any
authorized officer has the powers similar to the powers which are conferred on
Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and the CCA
can exercise such powers, subject to such limitations laid down under the Income-
tax Act, 1961.

SECTION 30 - OBLIGATIONS OF THE CA

Every CA will, —

a. Make use of secure hardware, software and procedures to prevent intrusion

and misuse;
b. Ensure a reasonable level of reliability in the services provided by it;
c. Adhere to security procedures to ensure that the secrecy and privacy of the
electronic signatures are assured;
d. be the repository of all Electronic Signature Certificates issued under this Act;
 e. publish information regarding its practices, Electronic Signature Certificates
and current status of such certificates; and
f. Observe such other standards as may be specified by regulations;
g. Ensure that every person employed or otherwise engaged by it complies with
the provisions of this Act, rules, regulations and orders made thereunder;
h. Display its licence at a conspicuous place of the premises in which it carries
on its business;
i. surrender his licence, forthwith, to the CCA when the licence is suspended or
revoked. Failure to do so, will be deemed be an offence, punishable with
imprisonment which can extend up to six months or a fine which can extend
up to ten thousand rupees or with both
j. disclose in the manner specified by regulations—

i. its ESC; ii. any certification practice statement; iii. notice

of the revocation or suspension of its CA certificate, if any;

and

iv. any other fact that materially and adversely affects either the reliability of a ESC,
which that CA has issued, or the CA's ability to perform its services.

k. Where the CA is of the opinion that the situation so merits which can
materially and adversely affect the integrity of its computer system or the
conditions subject to which a ESC was granted, then, the CA will—
a. Reasonably notify any person who is likely to be affected by that occurrence; or

b. act in accordance with the procedure specified in its certification practice

statement to deal with such event or situation.

The CCA can, after consultation with the Cyber Regulations Advisory Committee
and with the previous approval of the Central Government, by notification in the
Official Gazette make regulations consistent with this Act and the rules made there
under to carry out the purposes of this Act. In particular, and without prejudice to the
generality of the foregoing power, such regulations can provide for all or any of the
following matters, namely:

a. the particulars relating to maintenance of data-base containing the disclosure

record of every
 Certifying Authority;
b. the conditions and restrictions subject to which the Controller can recognise
any foreign
Certifying Authority;
c. the terms and conditions subject to which a licence to issue a ESC can be
granted;
d. other standards to be observed by a Certifying Authority;
e. the manner in which the Certifying Authority will disclose the information
pertaining to ESC, the certification there to, the details of the suspension or
revocation of any ESC etc;
f. the particulars of statement which will accompany an Certification of practice
of a CA applying for licence to issue ESC;
g. the manner in which the subscriber will communicate the compromise of
private key to h. the certifying Authority.

ELECTRONIC SIGNATURE CERTIFICATES

SECTION 35 - CERTIFYING AUTHORITY TO ISSUE ELECTRONIC

SIGNATURE CERTIFICATE.

Any person can make an application to the CA for the issue of a ESC. The
application will be in the form prescribed by the Central Government. The
application shall be accompanied with the prescribed fee not exceeding twenty five
thousand rupees, to be paid to the Certifying Authority. The fee could be different
fees for different classes of applicants'. In addition to the fees the application is also
required to be accompanied with a certification practice statement or where there is
no such statement, a statement containing such particulars, as may be required by
regulations.

The CA can consider such an application accompanied with the certification

practice statement, and after making the necessary inquiry, as the CA deems fit,
either grant the ESC or for reasons to be recorded in writing, reject the application.
The application can be rejected only after giving the applicant a reasonable
opportunity of being heard.

REPRESENTATIONS UPON ISSUANCE OF ELECTRONIC

SIGNATURE CERTIFICATE

A CA while issuing a ESC will certify that it is—

 a. Has complied with the provisions, rules and regulations of this Act
b. Has published or made available the ESC to any person relying on it or to a
subscriber who has accepted it.
c. The subscriber holds the private key corresponding to the public key, listed in
the ESC;
d. the subscriber holds a private key which is capable of creating a digital
signature;
e. the public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the subscriber;
f. The subscriber's public key and private key constitute a functioning key pair,
g. The information contained in the ESC is accurate; and
h. it has no knowledge of any material fact, which if it had been included in the
Electronic Signature Certificate would adversely affect the reliability of the
representations made in clauses (a) to (d).

SUSPENSION OF ELECTRONIC SIGNATURE CERTIFICATE

Any ESC which is issued by a CA can be suspended by the CA on the occurrence

of one of the following events:

a. on receipt of a specific request to that effect from the subscriber of a

ESC or a person duly authorized by such a subscriber
b. if the CA is of the opinion that it is in the interest of the public to do so

The suspension of the ESC by the CA is required to be communicated to the

subscriber. The CA cannot suspend the ESC for a period more than 15 days,
without providing the subscriber, a reasonable opportunity of being heard.

REVOCATION OF ELECTRONIC SIGNATURE CERTIFICATE

A CA canrevoke a ESC issued by it on a specific request being made to it, by the

subscriber or a person duly authorized by him in this regards. The CA can also
revoke the ESC upon the death of the subscriber, where the subscriber is an
individual, or on dissolution, where the subscriber is a firm or on the winding up,
where the subscriber is a corporate entity.

An ESC can be revoked by the CA with immediate effect, after giving the subscriber
a reasonable opportunity of being heard if, the CA is of the opinion that a material
misrepresentation or concealment of the facts in the ESC or for non fulfillment of
any requirement which were prerequisites for the issue of the ESC or where the
CAs private key or security system has been compromised in a manner materially
affecting the ESCs reliability or where the subscriber has been adjudged insolvent
or on account of death, dissolution or winding-up or any other circumstances as a
result of which the subscriber to the ESC ceases to exist. The revocation of a ESC
by the CA has to be communicated to the subscriber.

Any suspension or revocation of ESCs is required to be published in the public

repositories (one or more as the case may be) maintained by the CA.

DUTIES OF SUBSCRIBERS

Where any Electronic Signature Certificate, the public key of which corresponds to
the private key of that subscriber which is to be listed in the Electronic Signature
Certificate has been accepted by a subscriber, then, the subscriber will generate the
key pair by applying the security procedure. Further the subscriber shall perform
such duties as may be prescribed.

ACCEPTANCE OF ELECTRONIC SIGNATURE CERTIFICATE

A subscriber is deemed to have accepted a ESC if he publishes or authorizes the

publication of a ESC to one or more persons in a repository, or otherwise
demonstrates his approval of the ESC in any manner.

By accepting a ESC the subscriber certifies to all who reasonably rely on the
information contained in the ESC that the subscriber holds the private key
corresponding to the public key listed in the ESC and is entitled to hold the same.
Furthermore all representations made by the subscriber to the CA and all material
relevant to the information contained in the ESC are true to the best of his belief.
CONTROL OF PRIVATE KEY

Every subscriber is required to exercise reasonable care to retain control of his

private key, which corresponds to the public key listed in his ESC and take all steps
to prevent its disclosure to a person not authorized to affix the electronic signature
of the subscriber.

If the private key is compromised, then, the subscriber will communicate the same
forthwith to the CA in specified manner. The subscriber is liable for all events
occurring as a result of the compromising of the private key from the time
compromise upto the time he has informed the CA of the private key being
compromised.

PENALTIES, COMPENSATION AND ADJUDICATION

The Information Technology Amendment Act 2008 have introduced a host of
offencies and prescribed penalties for these offences.

SECTION 43 - PENALTY FOR DAMAGE TO COMPUTER,

COMPUTER SYSTEM, ETC

If any person without permission (or the knowledge) of the owner or any other
person who is incharge of a computer, computer system or computer network, —

a. accesses or secures access to such computer, computer system or computer

network;
b. downloads, copies or extracts any data, computer data base or information
from such computer, computer system or computer network including
information or data held or stored in any removable storage medium;
c. introduces or causes to be introduced any computer contaminant or
computer virus into any computer, computer system or computer network;
d. damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programmes
residing in such computer, computer system or computer network;
e. disrupts or causes disruption of any computer, computer system or computer
network;
f. denies or causes the denial of access to any person authorized to access
any computer, computer system or computer network by any means;
g. provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of
this Act, rules or regulations made there under;
h. charges the services availed of by a person to the account of another person
by tampering with or manipulating any computer, computer system, or
computer network;
i. destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means;
j. Steals, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code used for a computer resource with
an intention to cause damage;
He can be made liable to pay damages by way of compensation not exceeding one
crore rupees to the person so affected.

Explanation.— For this purposes,—

i. "computer contaminant" means any set of computer instructions that are

designed—
a. to modify, destroy, record, transmit data or programme residing within
a computer, computer system or computer network; or
b. by any means to usurp the normal operation of the computer,
computer system, or computer network;
ii. "computer data base" means a representation of information, knowledge,
facts, concepts or instructions in text, image, audio, video that are being
prepared or have been prepared in a formalised manner or have been
produced by a computer, computer system or computer network and are
intended for use in a computer, computer system or computer network;
iii. "computer virus" means any computer instruction, information, data or
programme that destroys, damages, degrades or adversely affects the
performance of a computer resource or attaches itself to another computer
resource and operates when a programme, data or instruction is executed or
some other event takes place in that computer resource;
iv. "damage" means to destroy, alter, delete, add, modify or rearrange any
computer resource by any means.
v. "Computer Source code" means the listing of programmes, computer
commands, design and layout and programme analysis of computer
resource in any form

SECTION 43A - COMPENSATION FOR FAILURE TO PROTECT

DATA

When a body corporate is in possession, handling or dealing in sensitive personal

data or information in a computer resource that it owns, controls or operates, is
found negligent in implementing & maintaining reasonable security practices and
procedures and thereby causes wrongful loss or gain to any person, then in such a
case the body corporate will be held liable to damages as compensation to a sum
not exceeding Rs 5 Crores to the person so effected.
For this purpose, "body corporate" means any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities;

“Reasonable security practices and procedures” would include such practices and
procedures which are designed to protect information from unauthorized access,
damage, misuse, modification, disclosure etc, as may be agreed to between the
parties or as determined by law in force and in the absence of such agreement or
any law, such reasonable security practices and procedures, as may be prescribed
by the Central Government in consultation with such professional bodies or
associations as it may deem fit;

"Sensitive personal data or information" means such personal information as may

be prescribed by the Central Government in consultation with such professional
bodies or associations as it may deem fit.

Note: Refer Notification G.S.R. 313(E).— dated 11 th April 2011 for

Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules,
2011. Notified by the Central Government.

PENALTY FOR FAILURE TO FURNISH INFORMATION RETURN,

ETC

If any person who under this Act or any rules or regulations made there under to—

a. Is required by the CCA or CA to furnish any document, return or report fails to

do so, will be liable to a penalty not exceeding Rs 1,50,000/-for each such
failure;
b. Is required to file any return or furnish any information, books or other
documents within the time specified by the regulations, fails to do so, within
the time specified, will be liable to a penalty not exceeding Rs 5000/- per day
of such continuing default;
c. Fails to maintain books of accounts or records as required, will be liable to a
penalty not exceeding
Rs 10,000/- per day of such continuing default.
PUNISHMENT FOR DISCLOSURE OF INFORMATION IN BREACH
OF LAWFUL CONTRACT
Unless otherwise provided under this act or under any other act, any person,
including an intermediary who, while providing services under the terms of lawful
contract, has secured access to any material containing personal information about
another person, with the intent to cause or knowing that he is likely to cause
wrongful loss or wrongful gain discloses, without the consent of the person
concerned, or in breach of a lawful contract, such material to any other person shall
be punished with imprisonment for a term which may extend to three years, or with
a fine which may extend to five lakh rupees, or with both.

COMPENSATION, PENALTIES OR CONFISCATION NOT TO

INTERFERE WITH OTHER PUNISHMENT

A penalty imposed or compensation awarded or confiscation under the Act, will not
result in avoidance of an award of compensation or imposition of any penalty or
punishment under any other law.

RESIDUARY PENALTY

Whoever contravenes any rules or regulations made under this Act, and no penalty
has been separately provided for such contravention, will be liable to pay a
compensation not exceeding Rs 25,000/- to the person affected by such
contravention or a penalty of equal amount.

A penalty imposed under this Act, if it is not paid, can be recovered as an arrear of
land revenue and the license or the ESC, as the case may be, can be suspended till
the penalty is paid.

COMPOUNDING OF OFFENCES

Notwithstanding anything contained in Code of Criminal Procedure, an offence

pertaining to

• Hacking with a computer system

• Transmission of obscene material / content
• Breach of confidentiality and privacy
• Misutilization of personal information

can be compounded under section 77A of the Act. However the benefit of
compounding will not be available to a person who has been previously convicted
for the same or similar offence or who is liable to enhanced punishment.

No court can take cognizance of any of the above-mentioned offences unless the
person aggrieved by the offence lodges a complaint. Only an officer of rank of a
Deputy Superintendent of Police can investigate cognizable offences under this act.
When an officer in charge of a police station is given information pertaining to a non
cognizable offence, he is required to record such information in such records as are
prescribed by the State Government. The Officer who receives such information can
exercise the same power of investigation (except the power to arrest without
warrant), as an Officer in charge of police station would have under section 156 of
code of criminal procedure.

SECTION 46 - POWER TO ADJUDICATE

Sec 46 confers the power to adjudicate contravention under the Act to an officer not
below the rank of Director to Government of India or equivalent officer of state.

Such appointment shall be made by CG. Person so appointed shall have adequate
exp. in field of Info. Technology and such legal and judicial experience as may be
prescribed by CG.

The adjucating officer shall exercise jurisdiction to adjudicate matters in which the
claim for injury or damage does not exceed rupees five crores.
In respect of claim for injury or damage exceeding rupees five crores, jurisdiction
shall vest with the competent court.

For the purpose of holding an inquiry and for the purposes of adjudication the
Officer will have the powers of a civil court which are conferred oh the Cyber
Appellate Tribunal under sub-section (2) of section 58. All the proceedings held
before the Adjudicating Officer will be deemed to be judicial proceedings within the
meaning of sections 193 and 228 of the Indian Penal Code and for the purposes of
sections 345 and 346 of the Code of Criminal Procedure, 1973 be deemed to be a
civil court.

The Officer for the purpose of holding an inquiry, as prescribed by the Central
Government, is required to give the person being accused of the contravention a
reasonable opportunity for making representation in the matter. If after giving such
an opportunity the officer is of the opinion that such person has as alleged
contravened the provisions of the Act, or any Rules, regulations and direction there
under, can impose such penalty or award such compensation as he thinks fit in
accordance with the provisions.

Sec 47 provides that for the purpose of imposing penalty or for awarding
compensation the Officer will take into consideration the following:

a. the amount of gain of unfair advantage, wherever quantifiable, made as a

result of the default;
b. the amount of loss caused to any person as a result of the default;
 c. the repetitive nature of the default

THE CYBER APPELLATE TRIBUNAL

ESTABLISHMENT & COMPOSITION OF CYBER APPELLATE

TRIBUNAL

The Central Government, by notification, can establish one or more appellate

tribunals to be known as the Cyber Appellate Tribunal ( “tribunal”). Such notification
will also specify the matters and places in relation to which the Cyber Appellate
Tribunal can exercise jurisdiction.

CONSITUTION & THE JURISDICTION OF A BENCH

The Central Government in consultation with the Chief Justice of India selects the
Chairperson and other members. The Cyber Appellate Tribunal is made up of a
Chairperson and such number of Members, as the Central Government deems fit.
The Chairperson and one or two Members shal constitute a Bench of the Tribunal.
The Tribunal exercises its jurisdiction and all the powers, authority through such a
Bench. The Central Government has mandated that the Bench of the Tribunal will
sit in New Delhi and at such places which the Central Government in consultation
with the Chairperson may resolve. Once having resolved where the Bench will be
situated, the Central Government demarcates the areas where the Bench will
exercise its jurisdiction notifies such resolution in the Official Gazette. The
Chairperson of the Tribunal can transfer the Member (s) from one Bench to another.

Where the circumstances so merit, at any time before or in the course of a case or
a matter, if the Chairperson or the Member of the Tribunal are of the view that the
nature of the case or matter is such that it ought to be heard by a Bench consisting
of more Members, the case can be transferred by the Chairperson to such a Bench
as the Chairperson deems fit.

QUALIFICATION OF THE CHAIRPERSON & THE MEMBERS OF

THE TRIBUNAL

The Information Technology Amendment Act 2006 and the Information Technology
Amendment Act 2008 have introduced a slew of changes in the manner of
appointment of the Chairperson and the Members (Judicial as well as non Judicial)
of the Cyber Appellate Tribunal. The changes include the basic eligibility criteria, the
manner in which the salary and other emoluments will be given/ announced, the
requirement of independence and retirement from earlier service.

Only a person who is, or has been, or is qualified to be, a Judge of a High Court.
The Members of the Tribunal, barring the Judicial Member will be appointed by the
Central Government. Such a Member shall from amongst persons who posses
special knowledge and professional experience in the field of Information
Technology, Telecommunication, Industry, Management and Consumer Affairs. The
Government can only select the Members from the cadre of Central or State
Government employees, holding the position of Additional Secretary for a period not
less than 2 years or a Joint Secretary to the Government of India or an equivalent
position with either the Central or the State Government for a period not less than 7
years.

Only a person who is a member of the Indian Legal Service and has held the
position of an Additional Secretary for a period of one year or a Grade I post of the
Legal Service for a period not less than 5 years, is qualified to be selected as the
Judicial Members of the Tribunal.

Before the appointment of the Chairperson and the Members of the Tribunal, the
Central Government satisfies itself that the candidate is an independent person and
a person of integrity who will not be interested either financially or in any other way,
that may prejudicially influence his discharging of the functions of a Chairperson or
as a Member of the Cyber Appellate Tribunal. On his selection, either as a Member
of Chairperson of the Tribunal, the candidate (officer of the Central / State
Government) is required to retire from his service before he is allowed to join as the
Member/ Chairperson of the Cyber Appellate Tribunal

TENURE OF THE CHAIRPERSON & THE MEMBERS OF THE

TRIBUNAL

The Chairperson and the Members hold office for a term of five years from the date
of entering his office or until they attain the age of sixty five years, which ever
occurs earlier During the tenure the Chairperson and the Members will be entitled to
such a salary, allowance and other benefits like gratuity, pension, etc as may be
prescribed.

FUNCTIONING OF THE BENCH

The Chairperson has the power of general supervision and administration of the
conduct of affairs of the Bench. In addition to presiding over the meetings of the
Tribunal the Chairperson exercises and discharges such functions and powers as
are prescribed in this regards.

The Chairperson distributes the business to a Bench of the Tribunal and directs the
manner in which each matter will be dealt with. The Chairperson can also, on
receipt of an application in this regards from any of the parties and after giving a
notice to such parties and giving them a hearing as he deems proper or suo moto
without such a notice, can transfer the matter from one Bench to another for its
disposal.

If the Members of a Bench (consisting of 2 Members) differ in opinion on any point,

they are required to state the point(s) that they differ on and refer the matter to the
Chairperson. The Chairperson will then proceed to hear the point (s) /matter and
then decide on the same on the basis of the majority view of the Members who
have heard the case including those Members who have heard the case first.

FILLING UP OF VACANCIES, RESIGNATION OR REMOVAL OF A

CHAIRPERSON

Once the Chairperson has been appointed neither the salary and allowances nor
the other terms and conditions of his service can be varied to his disadvantage. If,
for reason other than temporary absence, any vacancy occurs in the office of the
Chairperson of a Cyber Appellate Tribunal, then the Central Government is to
appoint another person in accordance with the provisions of this Act to fill the said
vacancy and the proceedings can be continued before the Cyber Appellate Tribunal
from the stage at which the vacancy is filled.

The Chairperson of a Cyber Appellate Tribunal can, address to the Central

Government his notice in writing, under his hand to resign his office. Unless a
shorter period of relinquishment is permitted by the Central Government, the
Chairperson can continue to hold office until the expiry of three months from the
date of receipt of such notice or until a person duly appointed as his successor
enters upon his office or until the expiry of his term of office, whichever is the
earliest.

The Central Government can remove the Chairperson from his office only by way of
an order in writing on the grounds of proved misbehavior or incapacity after an
inquiry. Such an inquiry can be made only by a Judge of the Supreme Court in
which the Chairperson concerned has been informed of the charges against. The
Chairperson has to be given a reasonable opportunity of being heard in respect of
these charges. The Central Government can, by rules, regulate the procedure for
the investigation of misbehavior or incapacity of the aforesaid Chairperson.

The order of the Central Government appointing any person as the Chairperson or
Member of a Cyber Appellate Tribunal and no act or proceeding before a Cyber
Appellate Tribunal shall not be called in question in any manner on the ground
merely of any defect in the constitution of a Cyber Appellate Tribunal.

STAFF OF THE CYBER APPELLATE TRIBUNAL

The Central Government shall provide the Cyber Appellate Tribunal with such
officers and employees as required. The officers and employees of the Cyber
Appellate Tribunal shall discharge their functions under general superintendence of
the Presiding Officer. The salaries and allowances and other conditions of service of
the officers and employees of the Cyber Appellate Tribunal shall be such as may be
prescribed by the Central Government.

The Chairperson, Members and other officers and employees of a Cyber Appellate
Tribunal, the Controller, the Deputy Controller and the Assistant Controllers shall be
deemed to be Public Servants within the meaning of section 21 of the Indian Penal
Code.

APPEAL TO CYBER APPELLATE TRIBUNAL

Any person aggrieved by an order made by Controller or an adjudicating officer

under this Act can prefer an appeal to a Cyber Appellate Tribunal having jurisdiction
in the matter. However no appeal shall lie to the Cyber Appellate Tribunal from an
order made by an adjudicating officer with the consent of the parties. The appeal
can be filed by the aggrieved person within a period of 45 days from the date of
receipt of order in the prescribed form and accompanied by prescribed fee. The
Cyber Appellate Tribunal can entertain an appeal after the expiry of the said period
of 45 days if it is satisfied that there was sufficient cause for not filing it within the
prescribed period. The provisions of the Limitation Act, 1963, will, as far as can be,
apply to an appeal made to the Cyber Appellate
Tribunal.

The appeal filed before the Cyber Appellate Tribunal is to be dealt with by it as
expeditiously as possible and an endeavor will be made by the Cyber Appellate
Tribunal to dispose of the appeal finally within six months from the date of receipt of
the appeal. The appellant can either appear in person or through an authorized
representative (one or more legal practitioners) or any of its officers, to present his
or its case before the Cyber Appellate Tribunal.

The Cyber Appellate Tribunal can, after giving the parties to the appeal, an
opportunity of being heard, pass such orders thereon as it thinks fit, confirming,
modifying or setting aside the order appealed against. The Cyber Appellate Tribunal
will send a copy of every order made by it to the parties to the appeal and to the
concerned Controller or adjudicating office

SECTION 58 - PROCEDURE AND POWERS OF THE CYBER

APPELLATE TRIBUNAL

The Cyber Appellate Tribunal is not be bound by the procedure laid down by the
Code of civil Procedure, 1908 but is be guided by the principles of natural justice
and, subject to the other provisions of this Act and of any rules, the Cyber Appellate
Tribunal has the powers to regulate its own procedure including the place at which it
shall have its sittings. For the purposes of discharging its functions under this Act,
the Cyber Appellate Tribunal has the same powers as are vested in a civil court
under the Code of Civil Procedure, 1908, while trying a suit, in respect of the
following matters, namely:—

a. summoning and enforcing the attendance of any person and examining him
on oath;
b. requiring the discovery and production of documents or other electronic
records;
c. receiving evidence on affidavits;
d. issuing commissions for the examination of witnesses or documents;
e. reviewing its decisions;
f. dismissing an application for default or deciding it ex pane;
g. any other matter which may be prescribed.

Every proceeding before the Cyber Appellate Tribunal is deemed to be a judicial

proceeding within the meaning of sections 193 and 228, and for the purposes of
section 196 of the Indian Penal Code and the Cyber Appellate Tribunal is deemed to
be a civil court for the purposes of section 195 and Chapter XXVI of the Code of
Criminal Procedure, 1973. No Civil Court has the jurisdiction to entertain any suit or
proceeding in respect of any matter which an adjudicating officer appointed under
this Act or the Cyber Appellate Tribunal constituted under this Act is empowered, by
or under this Act, to determine and no injunction will be granted by any court or
other authority in respect of any action taken or to be taken in pursuance of any
power conferred by or under this Act.

SECTION 62 - APPEAL TO HIGH COURT

Any person aggrieved by any decision or order of the Cyber Appellate Tribunal can
file an appeal to the High Court within sixty days from the date of receipt of order of
the Cyber Appellate Tribunal, on any question of fact or law arising out of such
order. Any delay in filing the appeal to the High Court can be condoned by the High
Court, if it is satisfied that the appellant was prevented by sufficient cause from filing
the appeal within the said period, allow it to be filed within a further period not
exceeding sixty days.

SECTION 63 - COMPOUNDING OF CONTRAVENTIONS

At any time, before or after the institution of adjudication proceedings, the CCA or
an Officer specially authorized in this regards or the Adjudicating Office can
 compound contraventions under the Act. The compounded amount however cannot,
in any case, exceed the maximum penalty imposable for the contravention under
this Act. Where any contravention has been compounded, no proceeding or further
proceeding, as the case may be, can be taken for the compounded offence. Once a
contravention has been compounded, the same person cannot seek relief of
compounding for the same or similar contraventions committed within a period of 3
years from the date of compounding.

OFFENCES

The Act has specified that Tampering with computer source documents, Hacking
computer system, Publishing of information which is obscene in electronic form or
failure of a CA or its employees to follow the directions/ Orders of the CCA, failure to
comply with Directions of Controller to a subscriber to extend facilities to decrypt
information, accessing a protected system without proper authorization, material
mis-representation, Penalty for publishing Electronic Signature Certificate false
particulars, Publication for fraudulent purpose, sending of grossly offensive
information, false information, etc will be offences.

The various offences and corresponding punishments are summarized and

tabulated below with detailed explanation in the following paragraphs.
Sectio Contents Imprisonment Fine Up
n Up to to
65 Tampering with computer source code 3 years or/and 200,000
documents
66 Hacking with computer system dishonestly or 3 years or/and 500,000
fraudulently
66B receiving Stolen computer resource 3 years or/and 100,000
66C Identity Theft - fraudulently or dishonestly make 3 years and 100,000
use of the electronic signature, password or any
other unique identification feature of any other
person
66D cheating by Personation by using computer 3 years and 100,000
resource
66E Violation of Privacy 3 years or/and 200,000
66F Whoever,- Imprisonment
for
Life

A. with intent to threaten the unity, integrity,

 security or sovereignty of India or to strike
terror in the people or any section of the
people by –
1. Denial of Access
2. Attempting to Penetrate computer
resource
3. Computer containment
B. knowingly or intentionally penetrates and by
means of such conduct obtains access to
information, data or computer database that
is restricted for reasons of the security of
the State or foreign relations, or likely to
cause injury to the interests of the
sovereignty and integrity of India
67 Publish or transmit Obscene material - 1st time 3 years and 500,000

Subsequent Obscene in elec. Form 5 years and 10,00,000

67A Publishing or transmitting material containing 5 years and 10,00,000
Sexually
Explicit Act - 1sttime 7 years and 10,00,000
Subsequent
67B Publishing or transmitting material containing 5 years and 10,00,000
Children in
Sexually Explicit Act - 1st time 7 years and 10,00,000
Subsequent
67C Contravention of Retention or preservation of 3 years and Not
information by intermediaries Defined
68 Controller’s directions to certifying Authorities or 2 years or/and 100,000
any employees failure to comply knowingly or
intentionally
69 Failure to comply with directions for Intercepting, 7 Years and Not
monitoring or decryption of any info transmitted Defined
through any computer system/network
69A Failure to comply with directions for Blocking for 7 Years and Not
Public Defined
Access of any information through any computer
resource
69B Failure to comply with directions to Monitor and 3 Years and Not
Collect Traffic Data Defined
70 Protected system. Any unauthorised access to 10 years and Not
such system Defined
70B (7) Failure to provide information called for by the I year or 1,00,000
*I.C.E.R.T or comply with directions
71 Penalty for Misrepresentation or suppressing any 2 years or/and 100,000
material fact
72 Penalty for breach of confidentiality and privacy of 2 years or/and 100,000
el.
records, books, info., etc without consent of
person to whom they belong.
72A Punishment for Disclosure of information in breach 3 years or/and 500,000
of lawful contract
73 Penalty for publishing False Digital Signature 2 years or/and 100,000
Certificate
74 Fraudulent Publication 2 years or/and 100,000
75 Act also to apply for offences or contravention
committed outside India if the act or conduct
constituting the offence involves a computer,
computer system or computer network located in
India
76 Confiscation of any computer, computer system,
floppies, CDs, tape drives or other accessories
related thereto in contravention of any provisions
of the Act, Rules, Regulations or Orders made.
77 Penalty and Confiscation shall not interfere with
other punishments provided under any law.
78 Power to investigate offences by police officer not
below rank of Dy. Superintendent of Police.
*I.C.E.R.T - Indian Computer Emergency Response Team to serve as national
agency for incident response – Functions in the area of Cyber Security,-

a. collection, analysis and dissemination of information on cyber incidents

b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. coordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to
information security practices, procedures, prevention, response and
reporting of cyber incidents
 f. such other functions relating to cyber security as may be prescribed.

TAMPERING WITH COMPUTER SOURCE DOCUMENTS,

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or

knowingly causes another to conceal, destroy or alter any computer source code
used for a computer, computer programme, computer system or computer network,
when the computer source code is required to be kept or maintained by law for the
time being in force, can be punished with imprisonment up to three years, or with
fine which can extend up to two lakh rupees, or with both. "Computer source code"
means the listing of programmes, computer commands, design and layout and
programme analysis of computer resource in any form.

UNAUTHORIZED ACCESS TO A COMPUTER SYSTEM

If any person, dishonestly or fraudulently does any act which results in damage to a
computer or a computer system or secures unauthorized access to a secure
computer system or down loads or copies data etc (acts described under section43
of the Act), the he can be punished with a prison term which can extend upto two
years or with a fine which can extend up to ₹Five Lakhs or both. Here the Act refers
to the India Penal Code for interpreting the meaning of the words “dishonestly” and
“fraudulently”

PUNISHMENT FOR SENDING OFFENSIVE MESSAGES THROUGH

COMMUNICATION SERVICE

Any person who sends, by means of a computer resource or a communication

device any information that is grossly offensive or has menacing character; or which
he knows to be false, or sends any electronic mail or message so as to mislead the
addressee about the origin of such message but for the purpose of causing
annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation,
enmity, hatred, or ill will, persistently makes by making use of such computer
resource or a communication device, shall be punishable with imprisonment for a
term which may extend to three years and with fine. Explanation: For the purposes
of this section, terms "Electronic mail" and "Electronic Mail Message" means a
message or information created or transmitted or received on a computer, computer
system, computer resource or communication device including attachments in text,
image, audio, video and any other electronic record, which may be transmitted with
the message.
PUNISHMENT FOR DISHONESTLY RECEIVING STOLEN
COMPUTER RESOURCE OR COMMUNICATION DEVICE
Whoever dishonestly receives or retains any stolen computer resource or
communication device knowing or having reason to believe the same to be stolen
shall be punished with imprisonment for a term which may extend to three years or
with fine which may extend to rupees one lakh or with both.

PUNISHMENT FOR IDENTITY THEFT

Whoever, fraudulently or dishonestly make use of the electronic signature,

password or any other unique identification feature of any other person, shall be
punished with imprisonment for a term which may extend to three years and shall
also be liable to fine which may extend to rupees one lakh.

PUNISHMENT FOR CHEATING BY PERSONATION BY USING

COMPUTER RESOURCE

Whoever, by means of any communication device or computer resource cheats by

personation, shall be punished with imprisonment for a term which may extend to
three years and shall also be liable to fine which may extend to one lakh rupees.

PUNISHMENT FOR VIOLATION OF PRIVACY.

Whoever, intentionally or knowingly captures, publishes or transmits the image of a

private area of any person without his or her consent, under circumstances violating
the privacy of that person, shall be punished with imprisonment which may extend
to three years or with fine not exceeding two lakh rupees, or with both.

“Transmit” means to electronically send a visual image with the intent that it be
viewed by a person or persons;

“Capture”, with respect to an image, means to videotape, photograph, film or record

by any means;

“Private area” means the naked or undergarment clad genitals, pubic area, buttocks
or female breast;

“Publishes” means reproduction in the printed or electronic form and making it

available for public;

“Under circumstances violating privacy” means circumstances in which a person

can have a reasonable expectation that he or she could disrobe in privacy, without
being concerned that an image of his private area was being captured or any part of
his or her private area would not be visible to the public, regardless of whether that
person is in a public or private place.
PUNISHMENT FOR CYBER TERRORISM

Any person with intent to threaten the unity, integrity, security or sovereignty of India
or to strike terror in the people or any section of the people by denying or cause the
denial of access to any person authorized to access computer resource or
attempting to penetrate or access a computer resource without authorisation or
exceeding authorized access or introducing or causing to introduce any Computer
Contaminant and by means of such conduct causes or is likely to cause death or
injuries to persons or damage to or destruction of property or disrupts or knowing
that it is likely to cause damage or disruption of supplies or services essential to the
life of the community or adversely affect the critical information infrastructure
specified under section 70, or knowingly or intentionally penetrates or accesses a
computer resource without authorisation or exceeding authorized access, and by
means of such conduct obtains access to information, data or computer database
that is restricted for reasons of the security of the State or foreign relations; or any
restricted information, data or computer database, with reasons to believe that such
information, data or computer database so obtained may be used to cause or likely
to cause injury to the interests of the sovereignty and integrity of India, the security
of the State, friendly relations with foreign States, public order, decency or morality,
or in relation to contempt of court, defamation or incitement to an offence, or to the
advantage of any foreign nation, group of individuals or otherwise, commits the
offence of cyber terrorism.
The person committing or conspires to commit cyber terrorism shall be punishable
with imprisonment which may extend to imprisonment for life.

PUNISHMENT FOR PUBLISHING OR TRANSMITTING OBSCENE

MATERIAL IN ELECTRONIC FORM

Any person who publishes or transmits or causes to be published in the electronic

form, any material which is lascivious or appeals to the prurient interest or if its
effect is such as to tend to deprave and corrupt persons who are likely, having
regard to all relevant circumstances, to read, see or hear the matter contained or
embodied in it, shall be punished on first conviction with imprisonment of either
description for a term which may extend to two three years and with fine which may
extend to five lakh rupees and in the event of a second or subsequent conviction
with imprisonment of either description for a term which may extend to fiveyears
and also with fine which may extend to ten lakh rupees.

PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF

MATERIAL CONTAINING SEXUALLY EXPLICIT ACT,ETC. IN
ELECTRONIC FORM
Whoever publishes or transmits or causes to be published or transmitted in the
electronic form any material which contains sexually explicit act or conduct shall be
punished on first conviction with imprisonment of either description for a term which
may extend to five years and with fine which may extend to ten lakh rupees and in
the event of second or subsequent conviction with imprisonment of either
description for a term which may extend to seven years and also with fine which
may extend to ten lakh rupees.

PUNISHMENT FOR PUBLISHING OR TRANSMITTING OF

MATERIAL DEPICTING CHILDREN IN SEXUALLY EXPLICIT ACT,
ETC. IN ELECTRONIC FORM.

Whoever, publishes or transmits or causes to be published or transmitted material

in any electronic form which depicts children engaged in sexually explicit act or
conduct or creates text or digital images, collects, seeks, browses, downloads,
advertises, promotes, exchanges or distributes material in any electronic form
depicting children in obscene or indecent or sexually explicit manner or cultivates,
entices or induces children to online relationship with one or more children for and
on sexually explicit act or in a manner that may offend a reasonable adult on the
computer resource or facilitates abusing children online or records in any electronic
form own abuse or that of others pertaining to sexually explicit act with children,
shall be punished on first conviction with imprisonment of either description for a
term which may extend to five years and with a fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of
either description for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees:

The above three provisions shall not be applicable to any book, pamphlet, paper,
writing, drawing, painting, representation or figure in electronic form if the
publication of which is proved to be justified as being for the public good on the
ground that such book, pamphlet, paper writing, drawing, painting, representation or
figure is in the interest of science, literature, art or learning or other objects of
general concern or which is kept or used for bonafide heritage or religious purposes
"Children" means a person who has not completed the age of 18 years.

PRESERVATION AND RETENTION OF INFORMATION BY

INTERMEDIARIES

An intermediary shall preserve and retain such information as may be specified for
such duration and in such manner and format as the Central Government may
prescribe an any intermediary who intentionally or knowingly abstains from doing
the same shall be punished with an imprisonment for a term which may extend to
three years and shall also be liable to fine.

POWER OF CONTROLLER TO GIVE DIRECTIONS

The CCA can direct a CA or the employees of such a CA to take such measures or
cease carrying on such activities as specified in the order if those are necessary to
ensure compliance with the provisions of this Act, rules or any regulations made
there under. Any person intentionally or knowingly failing to comply with such an
order will have committed an offence and will be liable on conviction to
imprisonment for a term not exceeding two years or to a fine not exceeding one lakh
rupees or to both.

POWERS TO ISSUE DIRECTIONS FOR INTERCEPTION OR

MONITORING OR DECRYPTION OF OR BLOCKING OF ANY
INFORMATION THROUGH ANY COMPUTER RESOURCE

Where the central Government or a State Government or any of its officer specially
authorized by the Central Government or the State Government, as the case may
be, in this behalf may, if is satisfied that it is necessary or expedient to do

• in the interest of the sovereignty or integrity of India,

• defense of India,
• security of the State,
• friendly relations with foreign States
• public order
• for preventing incitement to the commission of any cognizable offence
relating to above
• for investigation of any offence,

after recording the reasons there of in writing, can warrant or direct or order any
agency of the Government to intercept or monitor or decrypt or block any
information transmitted through a computer resource. The Government is required
to specify safeguards, subject to which the interception or monitoring or decryption
is to be done. Any person, be it a subscriber or an intermediary or any other person
who is in charge of the computer resource, is bound to extend all possible
cooperation, technical assistance and facility as may be required by the authorities
to access or to secure access to the computer resource containing such
information; generating, transmitting, receiving or storing such information or
intercept or monitor or decrypt or block the information, as the case may be or
provide information stored in computer resource. Failure to do so is punishable with
an imprisonment for a term which can extend to seven years and also liable to fine.
POWER TO AUTHORIZE TO MONITOR AND COLLECT TRAFFIC
DATA OR INFORMATION THROUGH ANY COMPUTER RESOURCE
FOR CYBER SECURITY

The Central Government may, to enhance Cyber Security and for identification,
analysis and prevention of any intrusion or spread of computer contaminant in the
country, by notification in the official Gazette, authorize any agency of the
Government to monitor and collect traffic data or information generated, transmitted,
received or stored in any computer resource. The Intermediary or any person in-
charge of the Computer resource shall when called upon by such agency provide
technical assistance and extend all facilities to such agency to enable online access
or to secure and provide online access to the computer resource generating ,
transmitting, receiving or storing such traffic data or information. The government
shll prescribe procedure and safeguards for monitoring and collecting traffic data or
information.

Any intermediary who intentionally or knowingly contravenes the provisions shall be

punished with an imprisonment for a term which may extend to three years and
shall also be liable to fine.

"Computer Contaminant" shall have the meaning assigned to it in section 43

"Traffic data" means any data identifying or purporting to identify any person,
computer system or computer network or location to or from which the
communication is or may be transmitted and includes communications origin,
destination, route, time, date, size, duration or type of underlying service or any
other information.

PROTECTED SYSTEM

The Government has notified certain computer resources as Critical Information

Infrastructure to be a protected system. Critical Information Infrastructure refers to
computer systems or resources the destruction or incapacitation of which would
result in a debilitating impact on the national security, economy, public health or
safety. The appropriate Government can, by notification in the Official Gazette,
declare that any computer, computer system or computer network which directly or
indirectly affects the facility of a Critical Information Infrastructure, to be a protected
system and authorize the persons who are authorized to access protected systems.
In this regards the Government can prescribe specific information security practices
and procedures. Any person who secures unauthorized access or attempts to
secure unauthorized access to a protected system, can be punished with
imprisonment of either description for a term which can extend to ten years and can
also be liable to fine.
CREATION OF NATIONAL NODAL AGENCY

The Central Government has the powers through notification to designate any
organization of the Government as the national nodal agency for the protection of
Critical Information Infrastructure Protection. Such agency shall be responsible for
all measures including Research and Development relating to protection of Critical
Information Infrastructure.

INDIAN COMPUTER EMERGENCY RESPONSE TEAM TO SERVE

AS NATIONAL AGENCY FOR INCIDENT RESPONSE

The Central Government has the powers through notification to appoint an agency
of the government to be called the Indian Computer Emergency Response Team.
The Central Government shall provide such agency with a Director General and
such other officers and employees as may be prescribed. The Indian Computer
Emergency Response Team shall serve as the national agency for performing the
following functions in the area of Cyber Security,-

a. collection, analysis and dissemination of information on cyber incidents

b. forecast and alerts of cyber security incidents
c. emergency measures for handling cyber security incidents
d. Co-ordination of cyber incidents response activities
e. issue guidelines, advisories, vulnerability notes and white papers relating to
information security practices, procedures, prevention, response and
reporting of cyber incidents
f. such other functions relating to cyber security as may be prescribed

For carrying out the above functions, the agency may call for information and give
direction to the service providers, intermediaries, data centers, body corporate and
any other person. Any service provider, intermediaries, data centers, body corporate
or person who fails to provide the information called for or comply with such
direction shall be punishable with imprisonment for a term which may extend to one
year or with fine which may extend to one lakh rupees or with both.

PENALTY FOR MISREPRESENTATION

Whoever makes any misrepresentation to, or suppresses any material fact from, the
Controller or the Certifying Authority for obtaining any licence or ESC, as the case
may be, can be punished with imprisonment for a term which can extend to two
years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY

No person can publish a Electronic Signature Certificate or otherwise make it

available to any other person with the knowledge that the CA listed in the certificate
has not issued it or the subscriber listed in the certificate has not accepted it or the
certificate has been revoked or suspended, unless such publication is in the course
of verifying a electronic signature created prior to such suspension or revocation.
Such a contravention can be punished with imprisonment for a term which can
extend to two years, or with fine which can extend to one lakh rupees, or with both.
PENALTY FOR PUBLISHING ELECTRONIC SIGNATURE
CERTIFICATE FALSE IN CERTAIN PARTICULARS

Whoever knowingly creates, publishes or otherwise makes available a ESC for any
fraudulent or unlawful purpose can be punished with imprisonment for a term which
can extend to two years, or with fine which can extend to one lakh rupees, or with
both.

ACT TO APPLY FOR OFFENCE OR CONTRAVENTION COMMITED

OUTSIDE INDIA

The Act gives extra territorial jurisdiction in cases where the offence or
contraventions are committed from outside India, by any person irrespective of his
nationality. The provisions of this Act will apply also to any offence or contravention
committed outside India by any person irrespective of his nationality if the act or
conduct constituting the offence or contravention involves a computer, computer
system or computer network located in India. No penalty imposed or confiscation
made under this Act can prevent the imposition of any other punishment to which
the person affected thereby is liable under any other law for the time being in force.

CONFISCATION

Any computer, computer system, floppies, compact disks, tape drives or any other
accessories related thereto, in respect of which any provision of this Act. rules,
orders or regulations made there under has been or is being contravened, will be
liable to confiscation. Provided that where it is established to the satisfaction of the
court adjudicating the confiscation that the person in whose possession, power or
control of any such computer, computer system, floppies, compact disks, tape
drives or any other accessories relating thereto is found is not responsible for the
contravention of the provisions of this Act, rules, orders or regulations made there
under, the court can, instead of making an order for confiscation of such computer,
computer system, floppies, compact disks, tape drives or any other accessories
related thereto, make such other order authorized by this Act against the person
contravening of the provisions of this Act, rules, orders or regulations made there
under as it may think fit.

INTERMEDIARIES NOT LIABLE IN CERTAIN CASES

Unless otherwise specifically provided to the contrary, an intermediary will be not

liable for, any third party information, data or communication link made by him. This
exemption is available only if:

• The intermediary’s role is limited to providing access to a communication

system over which third parties transmit information or temporarily store the
same.
• The intermediary does not

1. Initiate the transmission

2. Select the receiver of transmission or,
3. Modify the information contained in the transmission.

The exemption would however stand withdrawn if intermediary conspires or abets

the commission of an unlawful act or after having received the information from the
government that any information, data or communication link residing in or
connected with computer resources controlled by the intermediary, are being used
to commit unlawful acts and such intermediary fails to act expeditiously in removing
or disabling access to such link or resource.

EXAMINER OF ELECTRONIC EVIDENCE

For the purpose of providing an expert opinion on electronic form evidence, before
any Court or other statutory body, can specify by notification in official gazette any
department or body or agency of central government as an examiner of electronic
evidence. Here, electronic form evidence means any information of probative
value which is stored and transmitted in electronic form. It includes computer
evidence, digital audio and digital video, cell phones, fax machines etc.
PROTECTION OF ACTION TAKEN IN GOOD FAITH

No suit, prosecution or other legal proceeding will lie against the Central
Government, the State Government, the Controller or any person acting on behalf
of him, the Chairperson, Members, officers and the staff of the Cyber Appellate
Tribunal for anything which is in good faith done or intended to be done in
pursuance of this Act or any rule, regulation or order made there under.
ENCRYPTION METHODS:

The Central Government can prescribe the modes and methods for encryption for
the purposes of secure use of electronic medium and for promotion of e-governance
and e-commerce.

PUNISHMENT FOR ABETMENT OF OFFENCES

When a person abets any offence and the act being abetted is committed in
consequence of the abetment, such a person can be made liable for the same
offence and penal consequences awarded as a result, even though abetment, by
itself, can not be an offence. An act or offence is said to be committed in
consequence of abetment, when it is committed as a consequence of the instigation
or a conspiracy. Any person committing an offence punishable by this Act or causes
such an offence to be committed, any act during the course of such an attempt is
also an offence, punishable as if it were an offence and imprisonment would extend
to one- half of the longest term of imprisonment imposable or a fine or both.

PUNISHMENT FOR ATTEMPT TO COMMIT OFFENCES

Any person who attempts to commit an offence punishable by this Act be punished
with imprisonment for a term which may extend to one-half of the longest term of
imprisonment provided for that offence, or with such fine as is provided for the
offence or with both.

OFFENCES BY COMPANIES

Where a contravention of any of the provisions of this Act or of any rule, direction or
order made under this Act is committed by a company, every person who, at the
time the contravention was committed, was in charge of, and was responsible to,
the company for the conduct of business of the company as well as the company,
will be guilty of the contravention and will be liable to be proceeded against and
punished accordingly. Any person liable to punishment if he proves that the
contravention took place without his knowledge or that he exercised all due
diligence to prevent such contravention, will be absolved of the allegation of the
contravention or committing the offence.

Where it is proved that the contravention, of any of the provisions of this Act or of
any rule, direction or order has taken place /been committed by a company with the
consent or connivance of, or is attributable to any neglect on the part of, any
director, manager, secretary or other officer of the company, such director, manager,
secretary or other officer will also be deemed to be guilty of the contravention and
will be liable to be proceeded against and punished accordingly. Here "company"
means any body corporate and includes a firm or other association of individuals;
and "director", in relation to a firm, means a partner in the firm.

REMOVAL OF DIFFICULTIES

If any difficulty arises in giving effect to the provisions of this Act, the Central
Government can, by order published in the Official Gazette, such order/ direction as
it deems necessary or expedient, to remove such difficulties in the provisions of this
Act. However, no order for removal of difficulties can be made after the expiry of a
period of two years from the commencement of this Act. Every order made, for the
removal of difficulties, will be laid as soon as may be after it is made, before each
House of Parliament.
POWER OF CENTRAL GOVERNMENT TO MAKE RULES.

The Central Government can, by notification in the Official Gazette and in the
Electronic Gazette make rules to carry out the provisions of this Act. In particular,
and without prejudice to the generality of the foregoing power, the rules can provide
for all or any of the following matters, namely:—

a. the conditions for considering the reliability of electronic signature or

authentication technique;
b. the procedure for ascertaining electronic signature or authentication;
c. the manner in which any information or matter can be authenticated by the
means of an electronic signature;
d. the electronic form in which filing, issue, grant or payment will be effected;
e. the manner and format in which electronic records will be filed, or issued and
the method of .payment;
f. the manner in which the appropriate service provider can collect, retain and
appropriate service charges;
g. the matters relating to the type of electronic signature, manner and format in
which it can be affixed;
h. the manner of storing and affixing electronic signature;
i. the qualifications, experience and terms and conditions of
service of Controller, Deputy
Controllers and Assistant Controllers;
j. the security procedures and practices to be followed;
k. the form in which an application for license for issue of ESC, the eligibility
criteria of the applicant and the period of validity of such a license, the
 amount of fees payable and the the other documents which will accompany
an application for licence, the form and the fee for renewal of a licence and
the fee payable there of;
l. the form in which application for issue of a ESC can be made and the fee to
be paid for the purpose;
m. the manner in which the adjudicating officer will hold inquiry;
n. the qualification and experience which the adjudicating officer will possess;
o. the salary, allowances and the other terms and conditions of service of the
Chairperson and
Members;
p. the procedure for investigation of misbehaviouror incapacity
of the Chairperson and
Members;
q. the salary and allowances and other conditions of service of other officers
and employees;
r. the form in which appeal, to the Cyber Appellate Tribunal, can be filed the
and the fee thereof;
s. any other power of a civil court required to be prescribed for the purposes of
the Cyber
Appellate Tribunal;
t. Duties of any subscriber and the reasonable security practices and
procedures to be adopted while dealing with sensitive personal information
u. the powers and the functions of the Chairperson and the Members of the
Cyber Appellate
Tribunal
v. safeguards for the interception or monitoring or decryption of information
w. the information security procedures and practices to be followed in respect of
protected systems
x. guidelines to be observed by intermediaries
y. modes and methods of encryption for promoting e-governance and e-
commerce.

Every rule made by the Central Government notifying such class of documents or
transactions as can be notified by the Central Government in the Official Gazette
which are outside the purview of this Act and every rule made by it shall be laid, as
soon as can be after it is made, before each House of Parliament, while it is in
session, for a total period of thirty days which can be comprised in one session or in
two or more successive sessions, and if, before the expiry of the session
immediately following the session or the successive sessions aforesaid, both
Houses agree in making any modification in the notification or the rule or both
Houses agree that the notification or the rule should not be made, the notification or
the rule shall thereafter have effect only in such modified form or be of no effect, as
the case may be; so, however, that any such modification or annulment shall be
without prejudice to the validity of anything previously done under that notification or
rule.

POWER OF CONTROLLER TO MAKE REGULATIONS

The Controller may, after consultation with the Cyber Regulations Advisory
Committee and with the previous approval of the Central Government, by
notification in the Official Gazette, make regulations consistent with this Act and the
rules in relation to the following matters:

• maintenance of data-base containing the disclosure record of every

Certifying Authority
• the conditions and restrictions subject to which the Controller may recognize
any foreign
Certifying Authority
• the terms and conditions subject to which a license may be granted to a CA
• other standards to be observed by a Certifying. Authority
• the manner in which the Certifying Authority shall disclose the matters
specified in relation to
DSC
• the particulars of certification practice statement which shall accompany an
application
• the manner by which a subscriber communicates the compromise of private
key to the
Certifying Authority

Every regulation made under this Act shall be laid, as soon as may be after it is
made, before each House of Parliament, while it is in session, for a total period of
thirty days which may be comprised in one session or in two or more successive-
sessions, and if, before the expiry of the session immediately following the session
or the successive sessions aforesaid, both Houses agree in making any
modification in the regulation or both Houses agree that the regulation should not be
made, the regulation shall there after have effect only in such modified form or be of
no effect, as the ease may be; so, however, that any such modification or
annulment shall be without prejudice to the validity of anything previously done
under that regulation.
 POWER OF STATE GOVERNMENT TO MAKE RULES

The State Government can, by notification in the Official Gazette, make rules to
carry out

the provisions of this Act. In particular, and without prejudice to the generality of the
foregoing power, such rules can provide for all or any of the following matters,
namely: —

a. the electronic form in which filing, issue, grant receipt or payment for e
licences;
b. for e returns & e payments
c. any other matter which is required to be provided by rules by the State
Government.

Every rule made by the State Government under this section shall be laid, as soon
as may be after it is made, before each House of the State Legislature where it
consists of two Houses, or where such Legislature consists of one House, before
that House.

AMENDMENT TO OTHER ACTS

The Indian Penal Code, The Indian Evidence Act, 1872, The Bankers' Books
Evidence Act, 1891, The Reserve Bank of India Act, 1934, shall be amended in the
manner specified in the Schedules to this
Act.
say atleast once in two years. The same needs to be incorporated in IS Audit
policy/charter. Further, in order to avoid conflict of interest an audit firm/consultant who
had provided consulting services on a specific area should not audit the area as part of
pre or post implementation audit.

GLOSSORY:
COMPUTER TERMINOLOGY

ATM: Automated Teller Machine '

SWIFT: Society for worldwide Interbank Financial Telecommunication

SFMS: Structured Financial Messaging System

OLTAS: Online Tax Accounting System

CBS: Centralized/ core Banking Solution

PIN: Personal Identification Number

LAN: Local Area Network (used in the same building)

MAN: Metropolitan Area Network (used in the same city)

WAN: Wide Area Network (used in different locations)

1DRBT: Institute for development & Research in Banking Technology

Banknet: Payment System Network established by RBI

NICNFT: National Informatics Centre Network (currency chest operation)

WWW: World Wide Web

HTTP: Hyper Text Transfer Protocol

URL: Uniform Resource Locator

VSAT: Very Small Aperture terminal

Firewall: Software programme that restricts unauthorized access to data and acts as a
security to private network

Booting: Starting of a computer

Hard Disk: A device for storage of data fitted in the processor itself

Modem: Modulator & Demodulator: A device used for converting digital signals to
analog signals & viceversa

Encryption: Changing the data into coded form

Decryption: Process of decoding the data

Virus: Vital Information Resources Under Seize: Software programme that slows down

the working of a computer or damages the data. Main source of virus is internet (other

sources are floppy or CD)

Vaccine: Anti Virus Software programme used for preventing entry of virus or repairing
the same

Digital Sign: Authentication of. electronic records by a subscriber by means of

electronic method or procedure

Key used: For digital signatures, there is a pair of keys, private key & public key

RTGS: Real time Gross Settlement

ECS: Credit: One account debited, number of accounts credited

ECS: Debit: One account credited, number of accounts debited

Hacking: Knowingly concealing, destroying, altering any computer code used for
computer network

Address: The location of a file. You can use addresses to find files on the Internet and
your computer.
Internet

addresses are also known as URLs.

IMPORTANT ABBREVIATIONS

• Al – Artificial intelligence ,

ALGOL – Algorithimic Language ,

ARP – Address resolution Protocol,

ASCII – American Standard

Code for Information Interchange

BINAC - Binary Automatic Computer,

BCC – Blind Carbon Copy ,

Bin – Binary
,BASIC - Beginner’s All-purpose Symbollic

Instruction Code, BIOS – Basic Input

Output System,

Bit – Binary Digit, BSNL – Bharat Sanchar Nigam Limited.

CC – Carbon Copy,

CAD – Computer Aided Design,

COBOL – Common Business Oriented Language, CD – Compact Disc, CRT –

Cathode Ray Tube ,CDR – Compact Disc Recordable ,

CDROM – Compact Disc Read Only Memory,

CDRW – Compact Disc

Rewritable, CDR/W – Compact Disk Raed/Write

DBA – Data Base Administrator,

DBMS – Data Base Management System,

DNS – Domain Name System,

DPI – Dots Per Inch,

DRAM – Dynamic Random Access Memory,

DVD – Digital Video Disc/Digital Versatile Disc,

DVDR – DVD Recordable , DVDROM –

DVD Read Only Memory ,DVDRW –DVD Rewritable ,

DVR – Digital Video Recorder ,

DOS – Disk Operating System

• EBCDIC – Extended Binary Coded Decimal Interchange

Code , e-Commerce – Electronic Commerce, EDP – Electronic

Data
Processing

• EEPROM – Electronically Erasable Programmable Read

Only Memory,

ELM/e-Mail – Electronic Mail, ENIAC - Electronic

Numerical Integrator and Computer

• EOF - End Of File

, EPROM - Erasable Programmable Read Only Memory,

EXE - Executable

FAX - Far Away Xerox/ facsimile ,FDC - Floppy Disk Controller, FDD - Floppy Disk
Drive ,FORTRAN Formula Translation, FS -

File System

,FTP - File Transfer Protocol

Gb – Gigabit ,
GB – Gigabyte ,
GIF - Graphics Interchange Format,
GSM - Global System for Mobile Communication

ISB Recollected Questions and Exam Tips::::

Function of modem, which is not an OOP Lang.

C C++ Java C#, questns abt DRP,

Trojan horse, sniffing, spoofing, availability, integrity, DBMS, preventive, corrective,

detective controls, BCP

Information system banker exam.

Some questions.....shared by members MAY 2019

CyAT
CAA
Digital Signature
BCP
Digital forensics
Normalisation
Internal audit
DBA responsibility
Telecommunications system audit
Power off switches
Cyber terbunal judge or magistrate
DS reissuance
Central depository of DS
Audit trail significance
Bottom up methodology
Audit plan
BCP
IDS
Virtual keyboard
IFMS full from
EFT
RBIA
Inherent risk
Insider threat
IS Audit policy
Information security officer role
DBA responsibility
Stress testing
BCNF
Critical applications
Poor architecture system
SDLC
Prototyping model
RTO application
IT Act 2000
Punishment for copyright as per IT Act
Controller of Certifying Authorities operates the National Repository of Digital
Signatures (NRDC)
Function of modem, which is not an OOP Lang. C C++ Java C#, questns abt DRP,
Trojan horse, sniffing, spoofing, availability, integrity, DBMS, preventive, corrective,
detective controls, BCP
DDL DML DCL TCL commands, CA CCA-Digital certificates
Digital signature complete
Cyber apellate tribunal presiding officer
System testing
Compliance testing
Substantive testing
Telecom control
Db forms
Db commands
Risk based audit
It audit
Dba roles n resp
Prototyping model
Sdlc full
Interface testing
Rbeit ltd reg it subsidiary of rbi
Non repudiation
Bot stroke worms
Certified information System Banker

13.01.2019 3 PM Batch
Moderate Difficulty
Passing Mark 60
Each question carries 1 mark ( 100 questions )

Scored 55 marks

Recollected questions
DR centre location
Data warehouse
Audit charter/policy
Is audit 5 -10 questions
RAM and cache memory
Static RAM
Metadata
Which DB model used in CBS
Characteristics of a table
Many to Many relationship in DB
Simple ,self,outer join
Adaptive maintenance
Multiplexing
Packet switching
Full Duplex method
Bridge,router,switch,gateway
Diff between router and switch
Function of osi model layers 5 questions
Which protocol used in banking http,smtp,tcp/ip
Real time processing
Emergency response
Mirror site and reciprocal agreement
Trojan horse
E money
INFINET
CFMS
SFMS
Spoofing, piggybagging
Pervasive principle in GASSP
Classification of control
Boundary sub system
Audit trail
Attenuation
Types of noise (cross talk)
False positive and negative
Firewall
Intrusion detection systems and tuning
In what circumstances user ID and password will be given to user(emergency access)
Remote Access
OS tasks
Travelling virus procedure
Public and private key encryption
Information system for bankers recollected questions on 18 Oct 2020

IDS..operators in SQL..steps involved in data warehouse..BCP..smart cards

Defence in depth

Chapter 6 of it act

Caat

Data about data

Section 46 of it act
Responsibility of database administrator

What is intellectual property

IPsec

Certifying authority related questions

Digital signature related questions

Electronic form

These are some of the recalled questions from information system banker
Disclaimer
While every effort has been made by me to avoid errors or omissions in this
publication, any error ordiscrepancy noted may be brought to my notice throughr e-mail
to [email protected] shall be taken care of in the subsequent editions.
It is also suggested that toclarify any doubt colleagues
should cross-check the facts, laws and contents of this publication with original Govt. /
RBI / Manuals/Circulars/Notifications/Memo/Spl Comm. of our bank.