Version History

Version Date Created By Approved by Signature

Distribution List
S. No Names Designations

Change History
Date of Revision Pages Brief Description of Changes Approved
Revision Number Amended Changes by

i
Contents
Version History ...................................................................................................................... i
Distribution List ..................................................................................................................... i
Change History ...................................................................................................................... i
1 Introduction ....................................................................................................................1
1.1 Purpose .................................................................................................................................... 1
1.2 Scope ........................................................................................................................................ 1
2 Enterprise Technology Governance Stakeholders ..............................................3
3 Enterprise Technology Governance and Risk Management Framework
Model ........................................................................................................................................3
4 Enterprise Technology Governance Policy Framework.....................................4
5 IT Governance ................................................................................................................7
5.1 Introduction .............................................................................................................................. 7
Purpose............................................................................................................................ 7
Scope ............................................................................................................................... 8
5.2 IT Governance Processes ..................................................................................................... 9
5.3 IT Strategy................................................................................................................................ 9
Objectives of IT Strategy ............................................................................................. 10
Scope of IT Strategy .................................................................................................... 10
5.4 IT Strategic Management Framework ............................................................................... 11
5.5 Roles and Responsibilities .................................................................................................. 12
5.6 Organizational Structure ...................................................................................................... 12
Management Committees ........................................................................................... 12
5.7 Management Information System (MIS)............................................................................ 13
5.8 Capacity Building/Training ................................................................................................... 13
6 Information Security...................................................................................................14
6.1 Introduction ............................................................................................................................ 14
Purpose.......................................................................................................................... 14
Scope: ............................................................................................................................ 14
6.2 Information/Cyber Security Management Framework..................................................... 16
Introduction.................................................................................................................... 16
Purpose.......................................................................................................................... 16
Scope ............................................................................................................................. 16
Framework Core ........................................................................................................... 17
6.3 Identification and Prioritization of Information System Assets ....................................... 19

ii
 Introduction.................................................................................................................... 19
Purpose and Scope: .................................................................................................... 19
6.4 Information Security Risk Management ............................................................................ 20
Introduction.................................................................................................................... 20
Purpose.......................................................................................................................... 20
Scope ............................................................................................................................. 20
6.5 Security Controls Implementation ...................................................................................... 20
Introduction.................................................................................................................... 20
Purpose.......................................................................................................................... 20
Scope: ............................................................................................................................ 21
6.6 Cyber Security Action Plan .................................................................................................. 22
Introduction.................................................................................................................... 22
Purpose.......................................................................................................................... 22
Scope ............................................................................................................................. 22
6.7 Incident Reporting ................................................................................................................. 23
6.8 Security Requirements and Testing ................................................................................... 23
6.9 Risk Monitoring and Reporting............................................................................................ 23
6.10 Threat Intelligence and Industry Collaboration ................................................................. 23
7 IT Service Delivery and Operations Management ..............................................24
7.1 Introduction ............................................................................................................................ 24
Purpose.......................................................................................................................... 24
Scope ............................................................................................................................. 24
7.2 IT Service Management Framework .................................................................................. 24
Introduction.................................................................................................................... 24
Purpose.......................................................................................................................... 25
Scope ............................................................................................................................. 25
7.3 Preventive Maintenance Plan ............................................................................................. 25
7.4 Incident and Problem Management ................................................................................... 25
7.5 Patch Management............................................................................................................... 26
7.6 Capacity Planning ................................................................................................................. 26
7.7 Data Center............................................................................................................................ 26
7.8 User Support/Help desk ....................................................................................................... 26
8 Acquisition & Implementation of IT Systems ......................................................27
8.1 Introduction ............................................................................................................................ 27

iii
 Purpose.......................................................................................................................... 27
Scope ............................................................................................................................. 27
8.2 Technology Projects Management Framework................................................................ 28
8.3 System Development and Acquisition Framework .......................................................... 30
8.4 Outsourcing of IT Services .................................................................................................. 31
9 Business Continuity and Disaster Recovery .......................................................32
9.1 Introduction ............................................................................................................................ 32
Purpose.......................................................................................................................... 32
Scope ............................................................................................................................. 32
9.2 Business Continuity and Disaster Recovery Framework ................................................ 32
9.3 Business Continuity Planning Process .............................................................................. 33
9.4 Disaster Recovery................................................................................................................. 33

iv
1 Introduction
Information Technology has become pervasive in current dynamic and often turbulent business
environments. While in the past, business executives could delegate, ignore or avoid IT decisions,
this is now impossible in most in most industries especially in the Banking Sector. This major IT
dependency implies a huge vulnerability that is inherently present in IT environments. System
and Network downtime has become far too costly for the banking sector these days as doing
business globally around the clock has become the standard.

This Enterprise Technology Governance Framework is aimed to enable Bank to keep abreast with
the aggressive and widespread adoption of technology in the Financial Services industry and
consequently strengthen existing regulatory framework for technology risk supervision.

1.1 Purpose
Information Technology has the potential, not only to support existing business strategies but
also to shape new strategies. In this mindset, IT becomes not only a success factor for survival
and prosperity, but also an opportunity to differentiate and to achieve competitive advantage.
In this viewpoint, the IT department moves from a commodity service provider to a strategic
partner.

This Enterprise Technology Governance Framework aims to provide enabling regulatory

environment for managing risks associated with the acquisition, development, deployment and
use of technology and shall serve as the baseline requirement for Bank.

1.2 Scope
Information Technology and its use in business environments has experienced a fundamental
transformation in the past decades. Since the introduction of IT in banking sector, academics and
practitioners conducted research and developed theories and best practices in this emerging
knowledge domain.

This Enterprise Technology Governance Framework is focused on enhancing the proactive and
reactive environments in Bank to various facets and dimensions of technology including IT
Governance, Information Security, Technology Operations, Audit, Business Continuity,
Project/Performance management and other related domains. This Framework is based on State
Bank of Pakistan’s Enterprise Technology Governance and Risk Management Framework,
International Standards and recognized principles of international best practices.

Page 1 of 34
This Enterprise Technology Governance Frame work is categorized into six different domains as
shown below.

IT Governance

Information Security

IT Service Delivery &

Operations Management
Governance Framework
Enterprise Technology

Acquisition & Implementation

of IT Systems

Business Continuity And

Disaster Recovery

IT Audit

Page 2 of 34
2 Enterprise Technology Governance Stakeholders

Stakeholder Responsibility

Set direction for IT, monitor results and insist on corrective

Board and Executive
measures

Defines business requirements for IT and ensures that value is

Business Management
delivered, and risks are managed

IT Management Delivers and improves IT services as required by the business

Risk and IT Security Defines and manages IT risks and security

Measures compliance with policies and focuses on alerts to new

Compliance
risks

Provides independent assurance to demonstrate that IT delivers

IT Audit
what is needed

3 Enterprise Technology Governance and Risk Management Framework

Model
Enterprise Technology Governance is an integral part of Bank’s corporate governance
framework consisting of following frameworks:

Corporate Governance

IT Governance Framework Information/Cyber Security Management

Framework
IT Policy Framework

Business Continuity Planning and Disaster

IT Project Management Framework Recovery Framework

IT Service Management Framework

Software Development and Acquisition

Framework

IT Audit and Compliance

Page 3 of 34
4 Enterprise Technology Governance Policy Framework
Bank’s Enterprise Technology Governance policies will enable the management to
appropriately articulate Bank’s desired behavior, mitigate risk and contribute to achieving the
overall goals of the organization.

This Enterprise Technology Governance policy framework provides a logical structure for
organizing and defining Enterprise Technology Governance policies. It also establishes additional
documentation that supports the policies’ implementation and enforcement.

Enterprise Technology Governance Policy Life Cycle

Plan

Update /
Design
Dispose

Evaluate /
Implement
Monitor

Operate

1. Plan Phase:

This phase establishes the foundation for a policy framework by covering the stakeholders and
goals dimensions defined previously. Usually, organizations already have some policies in place;
therefore, identifying gaps between the governance principles and current, valid policies helps to
redesign and improve the policy framework in use. In this phase, a logical structure of
documentation that will support and clarify policy principles is defined. The optimal amount of
documentation depends on the organization’s culture and management’s style; the objective of
this activity is to improve clarity of policy principles and support their implementation.

2. Design Phase:

There are two activities in this phase:

Page 4 of 34
1. Priorities setup—Identification of concrete policies, using a risk-based approach that addresses
policy principles, setting deadlines and priorities for their review or creation

2. Policy structure definition—Writing a policy is not only a writing activity; it needs adequate
coordination, including:

a) Policy draft—Identify the individuals responsible for researching and writing policies. A
critical success factor is to resolve any potential issue concerning the feasibility for
implementing policy principles.

b) Policy review—Identify the individuals responsible for providing an independent review.

The objective of this activity is to increase the policy credibility and quality.

c) Approval, communication and distribution—Establish the procedure for obtaining final

policy approval from the authorized individuals defined in the stakeholders’ dimension
previously and determine the policy communication and training strategy.

d) Style—Define writing quality standards, including document format, font type, language
style, glossary of terms and document structure. The objective of this activity is to ensure
that policies are written, presented and structured in a way that is clear, concrete,
complete, consistent and easy to follow.

3. Implement Phase:

This activity corresponds to implementation and enforcement policies, defining activities that will
assist the organization in providing a transparent transition from a noncompliant to a compliant
state.

4. Operate Phase:

An effective policy should be part of the organization’s DNA. Building an accountable culture
and using policies in daily operations ensures that the organization’s goals are met. In this phase,
organizations should “walk the talk” of policy principles

5. Evaluate / Monitor Phase:

This phase has the objective to confirm that policy requirements are properly implemented, and
the organization operates effectively. The degree of success of policy principles supporting
business goals is evaluated, and the overall efficiency of the policy framework is communicated
to relevant stakeholders.

Page 5 of 34
6. Update / Dispose Phase:

To keep policies aligned with business direction, policies are reviewed for updating or removal.
This activity has two objectives: to ensure that

organizations have effective policies and to adjust the phases defined previously to maintain or
improve the maturity of the policy framework. Good practice would require policies to be
reviewed on a regular basis, typically every 12 months.

Documentation as part of Enterprise Technology Governance Policy

Enterprise Technology Governance policy and additional documentation to support policy

effectiveness and efficiency shall be documented and approved:

Enterprise Technology Governance Policy: guide, model and frequent decision-making reference
for the Bank's Information Technology Division.

Enterprise Technology Governance Procedures: A written set of steps to execute policies through
specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more
detailed than policies. They identify the method and state in a series of steps of exactly how to
accomplish an intended task, achieve a desired business or functional outcome, and execute the
policy.

Enterprise Technology Governance Standards: mandatory action, explicit rules, controls or

configuration settings that are designed to support and conform to a policy. A standard should
make a policy more meaningful and effective by including accepted specifications for hardware,
software or behavior. Standards should always point to the policy to which they relate.

Baselines (Platform Specific): platform-specific rule that is accepted across the industry as
providing the most effective approach to a specific implementation.

Page 6 of 34
5 IT Governance
5.1 Introduction
IT governance provides the framework and capacity for making and implementing decisions
required to manage, control and monitor IT within the business

A framework is required that defines these decisions, the involvement by various stakeholders,
and the structures, processes, responsibilities and other mechanisms required to increase
stakeholder value in a number of ways:

alignment Aligned with Business

Business

time
Better Service Quality
Managed IT Risks

IT risks
Service
quality

Stakeholder
time
Value time
Optimized Service
Cost Faster Change
Service

change
Enable
cost

time
time

Purpose
1. IT delivers envisioned benefits against the strategy, costs are optimized, relevant best practices
incorporated and that the value created for the organization by its IT investments is
maximized;

2. The optimal investment is made in IT and critical IT resources are responsibly, effectively and
efficiently managed and used;

3. Compliance requirements are understood, there is an awareness of risk and the organization’s
appetite for it and these residual risks are managed;

4. Performance is optimally tracked and measured and envisioned benefits are realized,
including the implementation of strategic initiatives, resource utilization and the delivery of
IT services;

Page 7 of 34
5. Synergies between IT initiatives are enabled and, where applicable, IT choices are in the best
interest of the organization as a whole vs. those of individual business units;

6. The activities and functions of the IT organization(s) are aligned to, enabling and supporting
the objectives and priorities of the organization;

7. There is a shared understanding, amongst all stakeholders, of how IT can add value to the
organization.

Scope
Technology Governance is an integral part of Bank’s corporate governance framework
consisting of the leadership and organizational structures to ensure the alignment of IT strategy
with business strategy, optimization of resources, value delivery and performance measurement
to achieve business objectives and effective technology risk management.

The IT Governance aims at fully aligning technology and business strategies with each other so
that technology risks are identified and controlled as part of the enterprise risk management
process. Different areas covered by the IT Governance are described below.

IT Governance

Technology Roles and Organizational Policies,

Governance Responsibilities Structure Standards and
Framework Procedures
Board of Board IT
Directors Committee Management
IT Strategy Information
IT Steering System
Senior
Management Committee
Capacity
Digital Strategy IT Management Building and
Structure Training

Page 8 of 34
5.2 IT Governance Processes
These are processes whereby IT is managed on a daily basis. These processes should be designed
in such a way as to include IT governance activities that would assist them in operating as
designed.

S. No. Process Name Process Description

The process whereby requirements for the governance of

enterprise IT are analyzed and articulated to ensure effective
IT Governance
1. enabling structures, processes and practices, with clarity of
Management
responsibilities and authority to achieve the Bank's mission, goals
and objectives.

The process whereby the IT Strategy is developed to provide a

IT Strategy holistic view of the current business and IT environment, the future
2.
Management direction, and the initiatives required to migrate to the desired
future environment.

IT The structures whereby IT reports into / takes direction from the

3. Organization business as well as the organizational structures, roles and
Management responsibilities within IT Division

IT Policies and The development and implementation of policies and standards

4. Standards for the organization that allow for the standardization and
Management managed development of the IT function.

The various management structures responsible for deploying the

Management
5. strategy and management of IT – most of these should have
Committees
participation by representatives of the business.

5.3 IT Strategy
Developing an IT Strategy involves a fairly structured, sequential process that produces a long-
term view of the bank’s technology requirements together with a plan for meeting these needs.
The IT strategy aligns with the mission of Bank’s goals and mission but is also pliable enough to
accommodate new business priorities and technologies that the potential for driving business

Page 9 of 34
growth. It is very important for the Bank’s IT team to know its priorities and identify the
opportunities that the bank should invest in.

Objectives of IT Strategy
The objective of IT strategy is to cover the overall design and plan of the operational framework
of the Information Technology Department. The IT strategy should identify and overcome the
organizational/cultural/environmental constraints and enablers to achieve the strategic IT
objectives. For a detailed IT strategy please refer to _______

Scope of IT Strategy
The IT strategy shall include vision and mission, stakeholders, business, workflow and processes,
data processing, system access, adoption of best-in-class information security systems, practices
and the availability of IT resources. The bank should also ensure that a proper strategic review
process is in place to ensure that the IT Strategy remains relevant with the organizational strategies
and direction to achieve business objectives. A graphical representation of the scope of IT strategy
can be viewed on the next page.

Page 10 of 34
 IT Strategy

Vision and Mission Workflow and Information

processes Security Systems
Stake Holders
Data Processing Practices
Availability of IT
Resources System Access Business

Strategic Review Process

5.4 IT Strategic Management Framework

Stage 1:
Understanding
Business Direction

Stage 2: Identifying
Stage 5: Developing
Refined Business
IT Strategic Plans
Requirements

Stage 3: Identifying
Stage 4: Designing IT
and Selecting IT
Scenarios
Alternatives

Understand the Business Direction:

During this stage of the developing IT strategy plan, IT management must work to understand
Bank’s business strategy and strategic objectives. The objective of this step is to gain an
understanding of the Bank's business objectives and the respective business requirements for IT.

Identify Refined Business Requirements:

The objective of this stage is to agree on those business requirements for IT that are strategic to
successfully meet the Bank’s business objectives. This can be the pre-requisite for the development
of IT alternatives that would help enable the IT to successfully meet these business requirements.

Page 11 of 34
Identify and Select IT Alternatives:

This stage represents the first systematic approach to both aligning the IT strategy with the
business strategy and to begin the selection and design of the IT strategy.

Design IT Strategic Scenario:

The objective of this stage is to perform a consolidation of the IT alternatives selected in the
previous stage into an IT strategic scenario.

Develop IT Strategic Plan:

Based on the IT strategic scenario and its models for the future conceptual IT architecture, delivery
and governance components of the IT, a high level strategic plan is developed.

5.5 Roles and Responsibilities

The Board of directors sets the tone and direction for Bank’s use of technology. They review
and improve an IT governance framework to ensure that bank’s IT supports and enables the
achievement of corporate strategies and objectives. The Board of Directors review and approve
the IT and Digital Strategy in line with the business strategy of the bank and monitor & update
the same on regular basis keeping in view the potential opportunities and threats. The senior
management helps the Board of Directors in reviewing the IT and Digital strategy and implements
the strategies that are approved by the board. They also monitor the implementation of the
technology governance program and assess its effectiveness on business line and processes. Please
refer to ____________ for detailed roles and responsibilities of Board of Directors and Senior
Management.

5.6 Organizational Structure

Management Committees
A board IT committee has a minimum of three (03) directors as its members, one of whom is an
independent director also having IT expertise and certification. This Board IT committee is
responsible for advising and reporting to the board on the status of technology activities in Bank.

The IT Steering Committee assists the senior management in the implementation of approved IT
and Digital Strategies.

The enterprise-wide IT organizational structure commensurate with the size, scale, business
objectives and nature of business activities carried out by Bank. The CISO is responsible for

Page 12 of 34
management and mitigation of Information/Cyber security risks across the enterprise and devising
strategies to monitor and address current and emerging risks. The CISO is independent of
Technology function to avoid any conflict of interest. Please refer to ______ for detailed roles
and responsibilities of Board IT Committee, IT Steering Committee and CISO.

5.7 Management Information System (MIS)

An MIS is implemented to oversee the implementation of IT strategy and business Plan, exception
from board-approved IT policies and progress on major IT projects. This MIS also monitors the
implementation of IT Governance and Risk management framework. Banks retains appropriate
documented information as evidence of the monitoring and measurement results. Please refer to
______ for detailed format and content of the Management Information System.

5.8 Capacity Building/Training

Capacity Building is fundamentally about improving effectiveness at the Bank. Our training programs
focuses on furthering the IT’s ability to do new things and improve what they currently do. Our capacity
building involves training, mentoring and financial and/or other resource support to individuals and
organizations from external/internal sources. Bank encourages and where appropriate, facilitates its
staff to acquire relevant professional qualifications. Please refer to _____ for detailed policies and
procedures for Capacity Building/Training.

Page 13 of 34
6 Information Security
6.1 Introduction
Information Security has become a critical business function and an essential component of
governance and management affecting all aspects of the Business environment. Date held on IT
systems is valuable and critical to the business of the Bank. The Bank relies on IT to store and
process information, so it is essential to maintain Information security.

Purpose
Effective information security controls are necessary to ensure the confidentiality, integrity,
availability, durability and quality of technology resources and associated information/date.
These assets must be adequately protected from unauthorized access, deliberate misuse or
fraudulent modification, insertion, deletion, substitution, suppression or disclosure.

Confidentiality: Data is only accessed by those with the right to view data.

Integrity: Data can be relied upon to be accurate and processed correctly.

Availability: Data can be accessed when needed.

Quality: Data is fit enough to serve its purpose in a given context.

Durability: Data does not suffer degradation, bit rot or any other form of corruption.

Scope:
bank has established an Information Security Program to manage the risks identified through its
assessment, commensurate with the sensitivity of the information and the complexity of its
information security risk profile. The Scope of Information Security within Bank is shown below.

Page 14 of 34
 Information Security
Information/Cyber Information Security
Security Controls
Security Security Risk Requirements and
Implementations
Management Management Testing
Framework

Identification and Risk Identification Asset Classification

Risk Monitoring and
Prioritization of Control
Reporting
Information System
Assets Risk Assessment Physical and
Environmental
Protection Threat Intelligence
Cyber Security
Risk Treatment Security and Industry
Action Plan
Administration and Collaboration
Monitoring
Authentication and
Access Control
Incident Reporting
Network Security

Encryption

IS Strategy
System Security

Remote Access

Page 15 of 34
6.2 Information/Cyber Security Management Framework
Introduction
In an environment of global connection and cyber terrorism, the protection of information assets
is vital for Bank. The Information/Cyber Security Management Framework is a system of
interrelated elements that act in collaboration with one another to protect the confidentiality,
integrity, availability, durability and quality of the technology resources and all the associated
data.

Purpose
The purpose of information Security Management Frame work is to:

1. Provide an assurance that its direction and intent are reflected in the security posture of Bank
by a structured approach to implementing Information Security Program.

2. Demonstrate management’s commitment to Information/Cyber Security.

3. Enable bank to meet its business objectives by implementing business systems with due
consideration of Information/Cyber Security related risks to Bank, its business and trading
partners, service providers, customers and all other stake holders.

Scope
The Scope of Information/Cyber security Framework extends to all information assets under
control of Bank with key focus information in electronic form, supporting systems, network and
other communication mechanisms. The scope extends to Risk Management, Implementation of
Security Controls, Penetration Testing and Inventorying of Information Assets.

Asset
Inventorying
Risk
Risk Monitoring
Management
and Reporting
Process

Threat Information/ Security

intelligence and Cyber
Controls
Industry Security
Implementation
Collaboration Framework

Security
Cyber Security
requirement
Action Plan
and testing
Incident
Reporting

Page 16 of 34
 Framework Core
Information/Cyber Security Framework provides a set of activities to achieve specific information
and cyber security outcomes, and references examples of guidance to achieve those outcomes. It
presents key Information/Cyber security outcomes identified by the industry as helpful in
managing the information/Cyber Security risk.

Sub-
Categories Sub-
categories
Informative categories
References

Categories
Informative
References

Protect Detect

Categories
Categories

Functions
Respond
Sub-
Recover
categories Sub-
categories

Identify
Informative
References Informative
References

Categories Sub- Informative

categories References

Page 17 of 34
Functions: organize basic Information/Cyber security activities at their highest level. These
Functions are Identify, Protect, Detect, Respond, and Recover. They aid Bank in expressing its
management of Information/Cyber Security Risk by organizing information, enabling risk
management decisions, addressing threats and improving by learning from previous activities.
The Functions also align with existing methodologies for Incident Management and help show
the impact of investments in Information/Cyber Security.

Categories: are the subdivisions of a Function into groups of information/cyber security outcomes
closely tied to programmatic needs and particular activities. Its examples include Asset
Management, Access Control etc.

Subcategories: further divide a category into specific outcomes of technical and/or management
activities. They provide a set of results that, while not exhaustive, help support achievement of
the outcomes in each category. Its examples include External Information Systems are catalogued,
Data-at-rest is protected, etc.

Informative References: are specific sections of Enterprise Technology Governance guidelines and
best practices as mentioned in the Enterprise Technology Governance Framework. The
Informative Reference is illustrative and not exhaustive.

The five Framework Core Functions are defined below.

Identify: Develop the organizational understanding to manage Information/Cyber Security risk
to systems, assets, data, and capabilities.

The activities in the Identify Function are foundational for effective use of the Framework.
Understanding the business context, the resources that support critical functions, and the related
Information/Cyber security risks enables Bank to focus and prioritize its efforts, consistent with
its risk management strategy and business needs. Examples of outcome Categories within this
Function include: Asset Management; Business Environment; Governance; Risk Assessment; and
Risk Management Strategy.
Protect: Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services.
The Protect Function supports the ability to limit or contain the impact of a potential
Information/Cyber security event. Examples of outcome Categories within this Function include:
Access Control; Awareness and Training; Data Security; Information Protection Processes and
Procedures; Maintenance; and Protective Technology.

Page 18 of 34
Detect: Develop and implement the appropriate activities to identify the occurrence of an
Information/Cyber security event.

The Detect Function enables timely discovery of Information/Cyber security events. Examples of
outcome Categories within this Function include: Anomalies and Events; Security Continuous
Monitoring; and Detection Processes.

Respond: Develop and implement the appropriate activities to take action regarding a detected
cybersecurity event.

The Respond Function supports the ability to contain the impact of a potential cybersecurity
event. Examples of outcome Categories within this Function include: Response Planning;
Communications; Analysis; Mitigation; and Improvements.

Recover: Develop and implement the appropriate activities to maintain plans for resilience and
to restore any capabilities or services that were impaired due to a cybersecurity event.

The Recover Function supports timely recovery to normal operations to reduce the impact from
a cybersecurity event. Examples of outcome Categories within this Function include: Recovery
Planning; Improvements; and Communications.
Please Refer to ________ for a detailed Information/Cyber Security Framework

6.3 Identification and Prioritization of Information System Assets

Introduction
Classifying the information assets is an important element of Information Security. Like any other
corporate asset, Bank’s Information assets have financial value. That value of the asset increases
in direct relationship to the number of people who are able to make use of the information.

Purpose and Scope:

Bank has an Information System Asset protection policy to protect critical information system
assets from unauthorized access, misuse or fraudulent modification, insertion, deletion,
substitution, suppression or disclosure.

The scope of this policy includes identification of criticality of Information System Assets so that
appropriate plans can be developed to protect them. An Asset disposal procedure has also been
established so that the information Assets are not misused after being disposed of.

Please refer to ______ for further details.

Page 19 of 34
6.4 Information Security Risk Management
Introduction
Information Security Risk Management is the process of managing risks associated with the use
of Information Technology. It involves identifying, assessing and treating risks to the
confidentiality, integrity, availability, durability and quality of bank’s assets.

Purpose
The objective of the Information Security Risk Management is to treat risks in accordance with
Bank’s overall risk tolerance. Bank doesn’t expect to eliminate all risks, as it would be next to
impossible. On the contrary, Bank seek to identify and achieve an acceptable level for itself.

Scope
The Scope of Information Security Risk Management process includes Risk Identification, Risk
Assessment and Risk Treatment. For further details please refer to ______

Information Security Risk Management

Risk Risk Risk

Identification Assessment Treatment

6.5 Security Controls Implementation

Introduction
Security Controls are selected and applied based on the Risk Assessment of the Information
System. This Risk Assessment process identifies system threats and vulnerabilities.

Purpose
Security Controls are technical or administrative safeguards or counter measures to avoid
counteract or minimize loss or unavailability due to threats acting on their matching vulnerability,
i.e. Security Risk. These controls are put in place for mitigating risk and to reduce probability of
loss.

Page 20 of 34
 Scope:

Asset
Classification
and Control
Physical and
Encryption Environmental
Protection

Security Security
Administration
Remote Access Controls and
Implementation Monitoring

Authentication
Network
and Access
Security
Control

System Security

Asset Control and Classification: Bank has inventoried all of the information assets along with
the asset owners. This help to ensure confidentiality, integrity and protection of these assets.
Please refer to _______ for Information Classification, Information Protection and Information
Disposal Procedures.

Physical and Environmental Protection: Bank has developed Physical and Environmental
Security Procedure to protect IT facilities and equipment from damage or unauthorized access.
The data center and network equipment room is housed in a secure area. For further details of
the procedure, please refer to ______

Security Administration and Monitoring: Bank has put in place a security administration function
and set formal procedures for administering the allocation of access rights to system resources
and application systems monitoring the use of system resources to detect any unusual or
unauthorized activities. For further details, please refer to _____

Authentication and Access Control: bank has an effective process to manage user authentication
and access control. For this purpose, appropriate user authentication mechanism commensurate
with the classification of information to be accessed has neem selected. For further details, please
refer to ______

Page 21 of 34
System Security: Technical controls have been put in place at bank to have different sets of
access privileges for different groups of users. It also includes approved software list, Secure
Configuration of Hardware, Software and Firmware, Configuration Management and reporting
and monitoring of System Logs. For further details please refer to _____

Network Security: Bank has implemented appropriate controls in accordance with the
complexity of its network. The security policy violations and atypical activities on the network
are also monitored. For further details, please refer to ____

Remote Access: Bank has established control procedures covering approval process on user
requests, authentication controls for remote access to networks, host data and/or systems and
protection of equipment and devices. The logs for all remote communications are maintained,
monitored and reviewed. For further information, please refer to ____

Encryption: bank has a well-defined encryption policy and procedure for database level, storage
level and network level encryptions. For further details, please refer to ____

6.6 Cyber Security Action Plan

Introduction
Cyber Security comprises technologies, processes and controls that are designed to protect
systems, networks and data from cyber-attacks. Effective cyber security action plan reduces the
risk of cyber-attacks and protects Bank from the unauthorized exploitation of systems, networks
and technologies.

Purpose
Cyber-attacks can disrupt and cause considerable financial and reputational damage to Bank.
The Cyber Security Action Plan will anticipate, withstand, detect and respond to cyber-attacks.
Appropriate controls have been implemented to prevent the occurrence of any cyber security
related incident.

Scope
The Board and Senior Management set the security agenda and drive the cyber security action
plan implementation from top-down. Cyber Security awareness programs are conducted for user
awareness. Written procedures are developed to for vendor access to sensitive data and
information. Multi-Layer security models have been put in place for firewalls and User
Authentications where the security events are logged and monitored. For further details, please
refer to _________

Page 22 of 34
6.7 Incident Reporting
Bank has established Incident management and reporting procedure where MIS on incidents,
logs breaches etc. are regularly reviewed by the Senior Management and Significant incidents are
submitted to the IT Steering Committee for review. For further details, please refer to _____

6.8 Security Requirements and Testing

Bank has developed a comprehensive testing program to validate the effectiveness of its
information security environment on regular basis. The results of these testing are used by Bank
to support the improvement in its information/cyber security. These testing policies include
Vulnerability Assessment, Scenario-Based Testing, Penetrations Tests and Quality Assurance. For
further details, please refer to ____

6.9 Risk Monitoring and Reporting

Bank conducts the monitoring and reporting of risks by prioritizing and closely monitoring high
risk activities with regular reporting on the actions that have been taken to mitigate them. Security
Information and Event Management System (SIEM) collects and aggregates log data generated
throughout the organization’s technology infrastructure, from host systems and applications to
network and security devices. For further details, please refer to ____

6.10 Threat Intelligence and Industry Collaboration

Bank has established a Threat Intelligence and Industry Collaboration procedure where it
gathers and interprets information about relevant cyber threats arising out from the participants,
services and utility providers and other Banks. This cyber threat intelligence is shared with
relevant staff with responsibility for mitigation of cyber risks at the strategic, tactical and
operational level. For further details, please refer to _______

Page 23 of 34
7 IT Service Delivery and Operations Management
7.1 Introduction
Service delivery and operations management encompasses a set of capabilities for ensuring that
Bank’s infrastructure and applications are optimized and always available for the business. It
enables the infrastructure, application and processes to be managed in a highly automated and
service centric manner.

Purpose
Service Delivery and Operations management at Bank connects IT Activities to the business needs,
rather than just focusing on internal IT processes. It manages business services, rather then just
underlying applications and infrastructure components. Many operations have significant risk factors
that are addressed through this management system.

Scope

IT Services Delivery and Operations Management

IT Service Management Framework User Support/Help Desk

Preventive Maintenance Plan

Incident and Problem Management

Patch Management

Capacity Planning

Data Center

7.2 IT Service Management Framework

Introduction
IT Service management describes a strategic approach for designing, delivering, managing and
improving the way Information Technology is used within Bank. It refers to all these activities,
policies and processes that the bank use for deploying, managing and improving IT Delivery.
Bank has used Enterprise Technology Governance and Risk Management frame work along with

Page 24 of 34
the international best practices to provide a disciplined approach to IT Service Management
Framework.

Purpose
The purpose of implementing a robust IT Service Management Framework at Bank is for
managing and supporting IT Systems. It ensures that right processes, people and technology are
in place so that Bank can meet its business goals.

Scope

Preventive
Maintanance
Plan

Incident and
Data Centers Problem
Management
IT Service
Management
Framework

Capacity Patch
Management Management

For further details, please refer to _____

7.3 Preventive Maintenance Plan

A preventive maintenance plan helps in smooth and efficient functioning of IT operations,
prolong the life of equipment and reduce the overall maintenance cost. The preventive
maintenance plan at bank includes the goals set to achieve by using this system. The IT assets
are inventoried with full details along with their classifications and priority. The plan also focuses
on training of the personnel involved in the process of Preventive Maintenance Planning. For
further details, please refer to ____

7.4 Incident and Problem Management

At Bank, the purpose of Incident management is to restore the service as quickly as possible to
meet the Service Level Agreements. The process is primarily aimed at the user level. On the other

Page 25 of 34
hand, problem management deals with solving the underlying cause of one or more incidents in
order to have effective incident management. For detailed process and Service Level Agreement,
please refer to _______

7.5 Patch Management

At Bank, patch management is a practice designed to proactively prevent the exploitation of
vulnerabilities on IT devices. Bank has established a procedure to test patches in a segregated
environment and install them when appropriate. This process includes identification,
categorization, prioritization of security patches and the testing processes. For further details,
please refer to ______

7.6 Capacity Planning

bank has established capacity planning and capacity planning process to address the internal
factors (growth, mergers, acquisitions, new product lines and the implementation of new
technologies) and external factors (shift in customer preferences, competitor capability and
regulatory and market requirements). This capacity planning includes monitoring of technology
as well as human resources and it is closely integrated with the budgeting and strategic planning
processes. For detailed information, please refer to ___

7.7 Data Center

bank has established procedures for building and maintaining data center structures and
operations with reference to international standards and industry best practices. For detailed
information, please refer to ____

7.8 User Support/Help desk

bank has created a users’ help desk to ensure that they perform their job functions in an efficient
and effective manner. For further details please refer to ____

Page 26 of 34
8 Acquisition & Implementation of IT Systems
8.1 Introduction
The acquisition, development, implementation and maintenance of new or revised application
systems makes significant demands upon the financial, human and IT resources of Bank. It is
essential for efficiency reasons and to ensure the quality of the system implementation that system
development process are managed in accordance with Enterprise Technology Governance and
Risk Management Framework and best practices.

Purpose
The critical role of technology in Bank requires the use of appropriate development, acquisition
and maintenance standards. Development and acquisition refers to Bank’s ability to identify,
acquire, install and maintain appropriate Information Technology Systems and the purchase and
the purchase or acquisition of hardware, software or any services from third parties.

Scope

Acquisition and Implementation of IT Systems

System Development and Cloud

Acquisition Framework Computing

System System Due

Development Migration Diligence of
Technology the Cloud Outsourcing
Projects Service
System System of IT
Management Provider
Documentation Acquisition Services
Framework (CSP)

Change System
Permissible
Management Testing
Cloud
Computing
Post-Implementation Review Arrangements

Page 27 of 34
8.2 Technology Projects Management Framework
IT Project Management is the management of people, processes and technology to meet project
requirements. Project Management entails the management of all activities within the project
lifecycle. IT Project Management can be split into distinct phases as illustrated below:

Phase 1: Initiation

The objective of the Initiation Phase is to ensure users’, various internal and external stakeholders
and the project team has the same understanding of and expectations for the project. In this
phase of the project, stakeholder(s) develop a business case and defines high level scope which is
approved by the approving authority. If project is approved, project charter document is
prepared.

Page 28 of 34
Phase 2: Planning

The objective of the Planning Phase is to determine in detail how the project will be executed;
what needs to be done, when and by whom. These formally documented plans become the
basis for understanding the project work steps and for monitoring and communicating the status
of the project. The Planning Phase concludes with stakeholders formally accepting the project
plan.

Phase 3: Execute and Control

The objective of the Execute and Control phase is to manage the daily activities of the project.
Executing and Controlling consists of both iterative processes that occur periodically (e.g.
monthly status reporting) and continuous processes that require continuous management. The
phase begins with a Project Kick-off Meeting and concludes when the completion criteria are
met.

During this phase, plans developed in phases 1 and 2 are implemented and used to effectively
manage the day-to-day activities of the project.

Phase 4: Execute and Control

The objective of the Closing phase is to finalize the project deliverables and to disband, the
project organization and environment in an organized manner after the project’s objectives have
been achieved and all detailed work plan tasks are completed.

For Further details, please refer to _____

Page 29 of 34
8.3 System Development and Acquisition Framework
System Development and Acquisition Framework deals with design, development, acquisition
and integration of business solutions including applications, databases, networks, hardware and
other components in order to meet business requirements.

This framework ensures that information technology, business goals and strategy are aligned with
each other. A Software Development and Acquisition project shall typically include the
acquisition or development of new software / hardware or support and maintenance of
software/hardware. The scope of System Development and Acquisition Framework of the Bank
is illustrated below:

System
Development

Post
System
Implementation
Acquisition
Review

System
Development
and
Acquisition
Change Framework System Testing
Management

System Sysem
Documentation Migration

System Development: The software development for Bank is done in house as well as through
outsourcing. For this purpose, project management standards are in place to address issues such
as need assessment, risk management, project approvals etc. Moreover, system control standards
including application’s functional, security and automated control features are also in place.
Quality assurance and Security and Vulnerability assessment of software module is also
conducted. For further details, please refer to ____

System Acquisition: For major IT Acquisitions, Bank has developed a technology procurement
policy that encompasses formulation of RFP, Roles and Responsibilities of Stake Holders and the

Page 30 of 34
approval matrix of the RFP. This policy includes types of technology assets for both hardware
and software. For further details, please refer to ____

System Testing: System Testing Policy at Bank ensures that only properly tested and approved
systems are promoted to the production environment. User Acceptance Testing (UAT) is carried
out in a segregated environment to ensure that neither the production data is used nor the
production environment is affected. For further details, please refer to ____

System Migration: Bank has established a secured library for the programs that are pending
migration. These are only accessible to the personnel who have performed the migration process.
Version controls have been implemented to make sure that only authorized programs are
migrated on the production environment. For further details, please refer to ____

System Documentation: Bank has formulated procedures on system developments and all
related documentation including development, testing, trainings, production, operational
administration and user manuals. The other types of documents related to project phase like
project requests, feasibility studies, project plans and testing plans are also maintained. For further
details, please refer to ____

Change Management: Bank has established a change management process to ensure that
changes to production systems are approved, implemented and reviewed in a controlled manner.
This change management process applies to the changes pertaining to system and security
configurations, patches for hardware devices and software updates. For further details, please
refer to ____

Post-Implementation Review: Bank conducts a post implementation review at the end of a

project to validate the applications’ operational performance. The relative success of the project
is based on this review. For further details, please refer to ____

8.4 Outsourcing of IT Services

Bank (shall outsource according to their own policy) has devised a policy for the outsourcing
of IT services which includes the Cloud Computing Policy. It involves policy for the due diligence
of the cloud service provider as well as the Permissible cloud computing arrangements. For further
details, please refer to ____

Page 31 of 34
9 Business Continuity and Disaster Recovery
9.1 Introduction
Business continuity and disaster recovery are closely related practices that describes Bank’s
preparation for unforeseen risks to continued operations. The bank could face the suspension of
critical operations due to natural disasters, terrorist attacks, environmental incidents, computer
problems, and other causes. Business Continuity is more proactive whereas Disaster recovery is
reactive.

Purpose
Business Continuity and Disaster recovery plans are needed to secure business continuity by
formulating action plans in advance to ensure quick recovery.

Scope

Business Continuity and Disaster Recovery

Business Continuity and Business Continuity Disaster Recovery

Disaster Recovery Planning Process
Framework.
Business Impact Analysis Disaster Recovery Plan

Risk Assessment Disaster Recovery Testing

Risk Management

Risk Monitoring and Testing

9.2 Business Continuity and Disaster Recovery Framework

Bank has developed a comprehensive Business Continuity Plan to achieve minimal financial
losses, serve customers with minimal disruptions in services and mitigate the negative effect of
disruptions on business operations. According to the Business Continuity Plan, Bank has
developed redundancies to reduce single point of failures that can bring down the whole
network. Moreover, Bank Maintains standby hardware, software and network components
that are necessary for a swift recovery. For further details, please refer to ______

Page 32 of 34
9.3 Business Continuity Planning Process
Critical services or products are those that must be delivered to ensure survival, avoid causing
injury, and meet legal or other obligations of bank. Business Continuity planning process is a
proactive planning process that ensures that critical services and/or products re delivered during
a disruption. This planning process includes Business Impact Analysis, Risk Assessment, Risk
Management and Risk Monitoring & Testing.

Business Impact Analysis: Bank has assessed and prioritized all business functions and processes
including their interdependencies, as part of work flow analysis. The Bank has identified potential
impact of business interruptions resulting from uncontrolled, non -specific events on the banks
business functions and processes. For further details, please refer to ______

Risk Assessment: Bank has evaluated the BIA assumptions using various threat scenarios. These
threats are analyzed based upon the impact to the bank, its customers and stake holders. For
further details, please refer to ______

Risk Management: The Business Continuity plan of Bank is based in a comprehensive BIA and
risk assessment exercise, that is reviewed and approved by the board annually. It is documented
in a written program and disseminated across the bank. For further details, please refer to ______

Risk Monitoring and Testing: Risk monitoring and testing is incorporated in the Business
Continuity Plan of Bank. This ensures that the bank’s Business Continuity Plan remains viable
through the incorporation of the Business Impact Analysis and Risk Assessment into the Testing
program. For further details, please refer to ______

9.4 Disaster Recovery

Disaster recovery is the are of security planning that aims to protect Bank from the effects of
significant negative events. It allows the bank to quickly resume business-critical functions
following a disaster. Bank has achieved high system availability for critical systems which is
associated with maintaining adequate capacity, reliable performance, fast response time,
scalability and swift recovery capability.

Disaster Recovery Plan: The Disaster Recovery Plan of Bank addresses various types of
contingency scenarios which may be caused by system faults, hardware malfunction, operating
errors or security incidents and total incapacitation of the primary data center. For further details,
please refer to ______

Page 33 of 34
Disaster Recovery testing: Regular DR drills are conducted at Bank, the results of which are
shared with the senior management. The DRP is tested and validated annually which covers
various scenarios in disaster recovery including complete shutdown/complete switchover of
primary site as well as component level failure of individual systems or a cluster. For further
details, please refer to ______

Page 34 of 34