rnfiqp,R

sflril*qfo,rsfu

E+cvcTicrddRffiqitljlffifuffi

qqnorqicrq : {i&rfi, qrq ($, gq{ - 400 0s1

tfr: +91 222653 002+ . fr-w :+91 222653 O150

t-td

: dfi

bt@nabard.org

iE-qrfe : www.nabard.org

Ref No..NB.DFlBT/ 5413- 58L4

National Bank for Agriculture and Rural Development

Dept. of Financial Inclusion & Banking Technology
Head Office : BKC, Bandra (Ef Mumbai - 400 051
Tel. : +91 2226530024. Fax: +91 22 2653 0150
E-mail : dfibt@nabard.org . Website

www.nabard.org

/ c9s-36/ zot4-ts

30 March 2015
Circular ruo.

49

/DF|BTO+/zltg

The Chairman and Managing Director/ Chief Executive officers

State Cooperative Banks

District Central Cooperative Banks

Madam/Dear Sir

Security measures in CBS environment -Credit Information Company Membership (ClC),

tnformation Technotogy Policy (lT Policy), Information Security Policy (lS policy), SMS Alerts
Facility and FIU-lND Registration

to CBS platform and there are many requirements in the changed

environment' where banks now require to adopt appropriate governance framework, technology

The co-operative sector has migrated

management methodologies and fool proof security mechanisms.

RBI has issued instructions to banks for adopting security and risk mitigation measures , taking up
membership of Credit Information Companies and introducing SMS Alerts facility to custome,rs on all financial
tra nsactions.

/435 dated 15 January 2015 requires that the banks obtain membership of all
fourCredit Information Companies , viz, Credit information Bureau(lndia) Limited, Equifax Credit Information
Services Limited, Experian Credit Information Company of lndia Private Limited and CRIF High Mark Credit
Services private Limited by t5 April 2015. Unfortunately many of the Banks under co-operative structure are
not complying with these three regulatory requirements making them vulnerable in the new environment. A
reference is also invited to NABARD CircularNo.160/ DOS-13/ 20LL dated 25 august 201L.. (Copy enclosed)
RBI circular No. RBI/ 2Ot4-L5

to put in place an lT and lS Policy approved by the Board, SMS alert facility for
financial transactions without any further delay, but not later than 30 June 2015. Regarding becoming
We therefore advise you

members of ClCs, RBt has already given a timeline of 15 April 2015 which should be adhered to. Banks should
also get themselves registered with FIU-lND for sending necessary reports.
Compliance to these requirements would also form part of supervisory observation of the bank.

(Chief General Manager)

rii{rtH}tvrqt
Taking Rural India >> Forward

NB.DoS.HO.POL.CFMC /.1884.1 P.80 / 2011-12

25 August 201

Circular No..160....../ DoS -13..... I 2011

1. The Chairman

Allthe Regional Rural Banks in the Country

2. The Managing Directors /
Chief Executive Officers
Allthe State Cooperative Banks /
Central Cooperative Banks in the Country
Dear Sir

Frauds in the computerised environment

As you are aware, application of information technology has already been recognised
as an effective tool to run the systems efficiently and securely. lt helps in creating
new opportunities for the organisation and help it in moving ahead of its competitors.
At present, when all the RRBs in our country are set to become CBS compliant as on
30 September 2011, a few Cooperative Banks had also gone ahead in this direction.
Although,mosi of the Cooperative Banks have introduced computerisation for their
front office operation, only a few have done back office computerisation.

2. As banks are investing in technologies to ensure secure and efficient banking

channels, it is necessary for them to adopt appropriate Governance framework,
technology management methodologies and foolproof security methanisms.
However, it is observed that a majority of the Cooperative Banks and RRBs have not
employed qualified computer personnel. They have not taken suitable steps for
human resource development in the area of information technology by providing
training to existing staff. There is lack of awareness among staff on security system
available with the technology especially maintaining secrecy of Passwords. There is
lack of awareness at management level for adoption of technology, governance, risks,
controls, etc. Some of the banks depend fully on service providers for managing the
system without entering into comprehensive agreement on ethical aspects of the
company and personnel employed by the company. Some of the banks even have
allowed the persons working for the computer agency to transact entire operation of

the bank.

3. In past two years some incidences of cyber fraud have come to our notice. In one
case fraud was perpetrated by the employee of the service provider in collusion with
some of the account holders by making fraudulent credit entries in the SB accounts of
the depositors which were subsequently withdrawn by them. In another case the BM
in collusion with the service provider had defrauded the bank. In one case the junior
officer misused the password of the BM and defrauded the bank.

&,

4. Vulnerability in lT arises as creation and authentication of financial transactions on

computer system is done electronically. Unless sufficient control and security features
are incorporated in computer system, fraudulent transactions can enter into the
system. Two basic principles on which such controls will be established are i) the
principle of least privilege means every individual is given access to the sensitive
information / data or programme strictly required for his job nothing more ii) the
principle of maker and checker means for each transaction, there must be at least two
individuals, one individual may create the transaction and other should confirm or
authenticate the same. Some of the suggestions for prevention of frauds in
computerised environment are given as under:
A) General measures
(i) Systems and equipment needs of the bank should be planned for at least three to
five years. lt should be subject to annual review by Top Management.
(ii) The hardware and software purchase standards need to be standardised.

(iii) Hardware should be tested and proven one with adequate warranty.

(iv) The software acquired from outside should be ensured to conform to bank's
requirements with adequate controls and should be tested and audited before
acceptanOe.

(v) ln-house software development should be standardised and periodical systems

audit/review should be conducted.

(vi) Systems in banks should be well documented and kept upto-date and secure.
Changes to the system need to be controlled.
(vii) Data processing procedures, backup procedures etc., should be evolved covering
all computer systems of the bank and made known to all concerned.
(viii) System administration procedures and duties of personnel should be clearly spelt
out for every computer installation and made known to the employees.

(ix) Confidentiality of information should be categorised and access rights must be

specified.

(x) Customer complaints relating to computer areas should be looked at from the
computer systems point of view. Computer Planning and Policy Departments
(CPPDs) should be associated with this exercise.

(xi) Security procedures covering hardware, software backup, storage of

both

computer records and reports, stationery etc., should be standardised.

(xii) Computer audit should be made a meaningful exercise by involving the auditors
at the system development stage itself. The officers trained in systems audit by Indian
banks' Association (lBA) in their long term training programmes can be utilised for this
purp9se.

7)

(xiii) Operational auditors should be trained for audit around the computer, as part of
internal audit of branches.
(xiv) Quarterly snap inspections of the branches should be made by the branch level
senior officers and/or by Zonal Office/Regional Office officers, to especially verify
whether drawing power/limit, interest rates etc., are correctly entered.
B) Administrative measures

(i) Banks must add relevant paragraphs covering computerised aspects, while issuing
general Administrative instructions. To this extent there is need for awareness of
various systems in the banks in non-computer departments, e.9., credit, deposits,
development, general operations department, systems and procedures department,
etc.

(ii) Training of operational level officers needs to be streamlined to include the

computer aspects of each topic in each session.
(iii) Standards should be evolved as regards

a. On line storage periodicity.

b. Storage of historical data.

c. Procedures regarding

old records.

d.

Appiication-wise back up procedures and off-site storage of backups, etc.

e.

Uninterrupted power supply should be ensured.

f"

Back up of files should be taken up at periodical intervals and kept at a nearby

office.

g.

Employees in EDP Cells, computer areas should be screened and should be

carefully selected. At their unwillingness to work, they should be replaced.

C) Preventive Vigilance measures

(i) In every computer installation at least two persons should be charged with the
duties of a) System administration b) Data based administration and processing. Their
duties should be spelt out. Necessary back up officers should be trained and kept
ready.

(ii) Rotation of duties across computerised offices/branches should be ensured

in

such a way that while the acquired skills are not wasted, access to those applications
whose programmes have been developed by concerned persons, is denied to them.
Also, it should be ensured that this segregation is observed in subsequent
rotations/postings.

(iii) Every bank should have at their Head Office, CPPD, a library containing
authenticated manuals and documentation for system software and application
software programmes with their source codes and hardware manuals

(iv) Procedures should be established for conveying sensitive control information,

such as, limits, drawing power, interest rates, charges, forex rates etc., by the
concerned divisions to computer section.
D) Insurance

It id prudent to obtain insurance cover in respect of particular risks within the bank,
e.9., some of the risks such as cost of replacing data, software and equipment. lt may
also be possible to insure the consequential losses to a bank following damage to
computer resources and consequent business interruptions. However, insurance
should not be regarded as substitute for a good control mechanism. lt may also be
prudent to identify types of losses that are not covered by insurance and lay greater
emphasis on control mechanism in respect of such areas as a matter of policy.

5. In view of above, you are requested to review the lT system of your bank afresh
and incorporate proper control measure for uninterrupted functioning of the bank.

6. A note containing problems with passwords and password management principles

is enclosed in the Annexure for your reference.
7, Please acknowledge receipt of this circular to our concerned Regional Office.

Yours faithfully

sd/(G.C.Panigrahi)
Chief General Manager

Y.

Annexure
Some Problems with Passwords

1. To remember passwords, user write them down.

2. Users choose easy-to-guess passwords, such as the name of a family member or

the month in which their birthday occurs.

3. Users do not change passwords for prolonged periods.

4. Users failto appreciate the importance of passwords.
5. Users disclose their passwords to friends or work colleagues.
6. Some access control mechanisms require users to remember multiple passwords.
7. Some access control mechanisms do not store passwords in encrypted form.
8. Passwords are not changed when a person leaves an organisation.
9. Passwords are transmitted over communications lines in clear text form.
Some Password Management Principles

1. A large set of passwords should be acceptable to an access control

mechanism.

2.

An access control mechanism should not permit passwords to be chosen that are
below a minimum length.

3.

An access control mechanism should not permit users to choose weak passwords
- for example, words that are found in a dictionary or words containing minimum
variation in the letters chosen.

4. Users should be forced to change their passwords periodically.

5. Users should not be permitted to reuse passwords that they have used during,
say, the past 12 months.

6.

Passwords should be encrypted via a one-way function whenever they are stored
or transmitted.

7. Users should be educated about the importance of password security, the

procedures they can use to choose secure passwords, and the procedures they
should follow to keep passwords secure.

8. Passwords

should be changed immediately if there is a possibility they have been

compromised.

9.

An access control mechanism should limit the number of password entry attempts.

Source : Information Systems Control and Audit - Ron Weber