Академический Документы
Профессиональный Документы
Культура Документы
sflril*qfo,rsfu
E+cvcTicrddRffiqitljlffifuffi
t-td
: dfi
bt@nabard.org
iE-qrfe : www.nabard.org
www.nabard.org
/ c9s-36/ zot4-ts
30 March 2015
Circular ruo.
49
/DF|BTO+/zltg
Madam/Dear Sir
/435 dated 15 January 2015 requires that the banks obtain membership of all
fourCredit Information Companies , viz, Credit information Bureau(lndia) Limited, Equifax Credit Information
Services Limited, Experian Credit Information Company of lndia Private Limited and CRIF High Mark Credit
Services private Limited by t5 April 2015. Unfortunately many of the Banks under co-operative structure are
not complying with these three regulatory requirements making them vulnerable in the new environment. A
reference is also invited to NABARD CircularNo.160/ DOS-13/ 20LL dated 25 august 201L.. (Copy enclosed)
RBI circular No. RBI/ 2Ot4-L5
to put in place an lT and lS Policy approved by the Board, SMS alert facility for
financial transactions without any further delay, but not later than 30 June 2015. Regarding becoming
We therefore advise you
members of ClCs, RBt has already given a timeline of 15 April 2015 which should be adhered to. Banks should
also get themselves registered with FIU-lND for sending necessary reports.
Compliance to these requirements would also form part of supervisory observation of the bank.
rii{rtH}tvrqt
Taking Rural India >> Forward
25 August 201
the bank.
3. In past two years some incidences of cyber fraud have come to our notice. In one
case fraud was perpetrated by the employee of the service provider in collusion with
some of the account holders by making fraudulent credit entries in the SB accounts of
the depositors which were subsequently withdrawn by them. In another case the BM
in collusion with the service provider had defrauded the bank. In one case the junior
officer misused the password of the BM and defrauded the bank.
&,
(iii) Hardware should be tested and proven one with adequate warranty.
(iv) The software acquired from outside should be ensured to conform to bank's
requirements with adequate controls and should be tested and audited before
acceptanOe.
(vi) Systems in banks should be well documented and kept upto-date and secure.
Changes to the system need to be controlled.
(vii) Data processing procedures, backup procedures etc., should be evolved covering
all computer systems of the bank and made known to all concerned.
(viii) System administration procedures and duties of personnel should be clearly spelt
out for every computer installation and made known to the employees.
(x) Customer complaints relating to computer areas should be looked at from the
computer systems point of view. Computer Planning and Policy Departments
(CPPDs) should be associated with this exercise.
both
7)
(xiii) Operational auditors should be trained for audit around the computer, as part of
internal audit of branches.
(xiv) Quarterly snap inspections of the branches should be made by the branch level
senior officers and/or by Zonal Office/Regional Office officers, to especially verify
whether drawing power/limit, interest rates etc., are correctly entered.
B) Administrative measures
(i) Banks must add relevant paragraphs covering computerised aspects, while issuing
general Administrative instructions. To this extent there is need for awareness of
various systems in the banks in non-computer departments, e.9., credit, deposits,
development, general operations department, systems and procedures department,
etc.
c. Procedures regarding
old records.
d.
e.
f"
g.
(i) In every computer installation at least two persons should be charged with the
duties of a) System administration b) Data based administration and processing. Their
duties should be spelt out. Necessary back up officers should be trained and kept
ready.
in
such a way that while the acquired skills are not wasted, access to those applications
whose programmes have been developed by concerned persons, is denied to them.
Also, it should be ensured that this segregation is observed in subsequent
rotations/postings.
(iii) Every bank should have at their Head Office, CPPD, a library containing
authenticated manuals and documentation for system software and application
software programmes with their source codes and hardware manuals
It id prudent to obtain insurance cover in respect of particular risks within the bank,
e.9., some of the risks such as cost of replacing data, software and equipment. lt may
also be possible to insure the consequential losses to a bank following damage to
computer resources and consequent business interruptions. However, insurance
should not be regarded as substitute for a good control mechanism. lt may also be
prudent to identify types of losses that are not covered by insurance and lay greater
emphasis on control mechanism in respect of such areas as a matter of policy.
5. In view of above, you are requested to review the lT system of your bank afresh
and incorporate proper control measure for uninterrupted functioning of the bank.
Yours faithfully
sd/(G.C.Panigrahi)
Chief General Manager
Y.
Annexure
Some Problems with Passwords
mechanism.
2.
An access control mechanism should not permit passwords to be chosen that are
below a minimum length.
3.
An access control mechanism should not permit users to choose weak passwords
- for example, words that are found in a dictionary or words containing minimum
variation in the letters chosen.
6.
Passwords should be encrypted via a one-way function whenever they are stored
or transmitted.
procedures they can use to choose secure passwords, and the procedures they
should follow to keep passwords secure.
8. Passwords
9.
An access control mechanism should limit the number of password entry attempts.