'v «k

/*.
•'^ f7T¿l /

0 2 AUG ?Olÿ

Confidential

Cyber Security Policy & Standards

Version 1.0

Information Technology Department

Madhyanchal Gramin Bank

Head Office, Sagar

S^.1-.• •

Confidential Document
'J
Cyber Security Policy & Standards vl.O - Glossary

Glossary
; V .-i . -, ¿>Te7 t '
Abbreviation Full Form ___________ _________ •
ASLC Application Security Life Cycle ‘
BCP Business Continuity Planning
CCMP Cyber Crisis Management Plan
CERT In Computer Emergency Response Team - India
CERT SBI Computer Emergency Response Team - State Bank of India
CISO Chief Information Security Officer
C-SOC Cyber - Security Operations Centre
D-Dos Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DR Disaster Recovery
HRMS Human Resource Management System
HTTPS Hyper Text Transfer Protocol Secure
IDRBT Institute for Development and Research in Banking Technology
IDS Intrusion Detection System
INR Indian Rupees
IPS Intrusion Prevention System
ISC Information Security Committee
ISD Information Security Department
LAN Local Area Network
LHO Local Head Office
MDM Mobile Device Management
NCIIPC National Critical Information Infrastructure Protection Centre
NIC Network Interface Card
OEM Original Equipment Manufacturer
RBI Reserve Bank of India
RMD Risk Management Department
SIEM Security Incident and Event Management
SMS Short Message Service
SOC Security Operations Centre
SOP Standard Operating Procedure
TCP Transmission Control Protocol
UDP User Datagram Protocol
VPN Virtual Private Network

Confidential Document
Cyber Security Policy & Standards vl.O -Table of Contents ». w A. A. X * -V VV "*
-7 T -7 Ü Î

Table of Contents ; /;. q 2 AUG 20185

C ha pte r A: I ntrod u c t i on........................................................................ a* *
1. Types of Threats and Attacks.................................................................................. 10
2. Cyber Attack Lifecycle-Illustrative.......................................................................... 10
Chapter B: Cyber Security Governance.............................................................................11
1. Management Strategy..................................................................................................ll
2. Cyber Security Awareness.......................................................................................... 12
3. Roles and Responsibilities.......................................................................................... 12
4. Cyber Attack Prevention Strategies& Plans............................................................... 16
5. Risks............................................................................................................................16
Chapter C: Policy Categories............................................................................................. 17
1. Inventory Management of Business IT Assets............................................................. 17
2. Preventing execution of unauthorized software.......................................................... 18
3. Environmental Controls............................................................................................... 19
4. Network Management and Security............................................................................20
5. Secure Configuration.................................................................................................. 21
6. Application Security Life Cycle (ASLC)....................................................................... 22
7. Patch I Vulnerability &Change Management.............................................................. 23
8. User Access Control/Management..............................................................................24
9. Authentication Framework for Customers.................................................................. 25
10. Secure mail and messaging systems...................................................................... 26
11. Vendor Risk Management.......................................................................................27
12. Removable Media.................................................................................................... 28
13. Advanced Real-time Threat Defense and Management......................................... 29
14. Anti-Phishing........................................................................................................... 30
15. Data Leak Prevention Strategy................................................................................ 31
16. Maintenance, Monitoring, and Analysisof Audit Logs.............................................. 32
17. Audit Log Settings....................................................................................................33
18. Vulnerability assessment, Penetration Testing and Red Team Exercises.............. 34
19. Incident Response &Management.......................................................................... 35
20. Risk based transaction monitoring.......................................................................... 36
21. Metrics......................................................................................................................37
22. Forensics................................................................................................................. 39
23. User / Employee/Management Awareness............................................................. 40
24. Customer Education and Awareness...................................................................... 41

S z - *
>X A

Confidential Document (S3

7^; e
Ì—'—-----
 * •» ♦ • c. M

Cyber Security Policy & Standards vl.O -Table of Contents •; f ■ J \

' f c4 Zdr<?z z •
Annexure.................................................................... ...................................... £....42
Annexure 1: Types of Threats.................................
Annexure 2: Cyber Attack Lifecycle-Illustrative.......
□»Äh
................................................47
Annexure 3:Solutions.............................................. ............................................... 49

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter A: Introduction i p-w ? «T, j
\ 9-^ it '
Chapter A: Introduction : • AUG »’P
This document shall be read along with the Bank’s Information Security Policy &
Standards.

A. Document Distribution
This document is owned by the Bank’s General Manager & Group Chief
Information Security Officer (GM & Group CISO). He is responsible for
maintaining versions, ensuring dissemination and issuing certifications
whenever required.

B. Primary recipients
All employees of the Bank.

C. Document Confidentiality
This document is confidential and hence would be made available through Bank’s
Intranet Portals similar channels - after authentication.

D. Authority
The policy document is issued under the authority of Board of Directors.

E. Management of Cyber Security Policy &Standards

The Information Security Committee of sponsor Bank (renamed
w.e.f.22.01.2018, as Information Security & IT Risk Committee - IS&ITRC),
shall issue, review and approve the sponsor Bank Cyber Security Policy and
Standards for final approval by Board of Directors I Central Board of Directors.
Approved Cyber Security Policy & Standards and related activities in the
sponsor Bank is applicable in MGB. The cyber security policy of sponsor Bank
shall be reviewed approved by the Board. Changes within the Annexure of the
policy shall also be applicable in MGB.

F. Objective of Cyber Security Policy

The objective of the Cyber Security (CS) Policy is to set the guiding principles
for establishing cyber security of the implemented IT infrastructure and timely
response to potential Cyber-attacks/threats.
These policies and standards represent the minimum requirements for Cyber
Security that all Businesses within the Madhyanchal Gramin Bank(MGB)should
follow as per regulatory requirements laid down by Reserve Bank of India. The
policies define the baseline security that is appropriate for securing the IT
infrastructure, underlying applications, processes, employee and customer
data/information of Madhyanchal Gramin Bank in line with industry good
practices and adhering to guidelines laid down by Reserve Bank of India (RBI)
on Cyber security.

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter A: Introduction

G Cyber Security Policy Statement

Cyber security policy is a set of directives, procedures, guideliries'designed to
maintain cyber security and manage cyber risks proactively. The cyber security
policy of MGB will enable MGB to identify, detect, respond and recover from
cyber- attacks in a timely manner such that attacks do not impact the
confidentiality, integrity and availability of data at MGB.

This cyber security policy is in line with the leading cyber security standards,
guidelines and RBI’s mandate on cyber security framework.

H. Policy Standards
Standards are detailed requirements that need to be met for complying with the
Information Security policies. Separate set of standards have been developed
for each policy statement. Standards include measures that need to be taken
for mitigating all risks associated with the respective domain covered by the
policy statements.

I. Procedures and Guidelines

A separate document for “Procedures and Guidelines is created. It documents
the detailed guidelines of how to implement the policies and standards.
The key objectives of developing Procedures and Guidelines are:
1. To ensure that Cyber Security Policy and Standards are interpreted correctly
and uniformly across the Bank.
2. To provide guidelines for implementation of the policy & standards.
3. To create awareness about policy & standards and assist in heir compliance.

J. Scope
These policies and standards are applicable to all locations of the Bank within
India including all assets hosted by or on behalf of the Bank, all business
processes and operations all employees and suppliers of the Bank.
For other offices linked with Bank also this policy and standards shall be the
baseline.

K. Compliance
Bank expects all employees and authorized external personnel including
suppliers to comply with these policies and standards. Failure by any
employees of the Bank to conform to applicable policies and standards may
result in disciplinary action. Supplier users shall be dealt with according to the
contracted covenant.

Confidential Document
 * A1
-y : ? *s ¥**17
, ) '-f #Î
Cyber Security Policy & Standards vl.O - Chapter A: Introduction ' ,<j fit a, I '

Policy Exception t'ÎJ.UMaj

Exceptions or deviations from the policy and standards will be processed as
follows:

Approving Authority:
The approving authority for any exceptions from this policy & standards is
Chairman of the Bank.

Exception Criteria:
The following criteria will be used -
a) Existence of a genuine need for exception.
b) Adequacy of compensating controls.

Work flow:
CM (IT-Risk Management) will assess and submit all requests with his
recommendations to Chairman through GM Admin.

Registration & Tracking:

All such requests will be registered tracked and submitted for subsequent
review GM admin by CM (IT-Risk Management).

Duration, Expiry & Review:

All Exceptions or Deviations, when approved, should be for a minimum period
and the period should not exceed ONE YEAR in any case in one instance. Any
extension requests should be reviewed and assessed again before expiry of
the approved period as per the same workflow & criteria mentioned above.

M. Implementation of Policy
The Board of Directors at MGB has overall responsibility for the effective
operation of this policy but has delegated day-to-day responsibility for
overseeing its implementation to Information Security Department (ISD) at
MGB. All employees have a specific responsibility to operate within the
boundaries of this policy take effective steps so that all employees understand
the standards of behavior expected of them and to take action when behavior
falls below its requirements. Employees will be given training in order that they
may do so.

The effectiveness of the implementation shall be subjected to periodic audit by

internal and external auditors the audit plan for the same shall be drawn
periodically in consultation with Audit department of the Bank and shall be
approved by GM admin.

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter A: Introduction • }'y : a *$
' » r\na II
.ci {'(ftii ;
4
N. Definitions
;
1. Introduction to Cyber Security

Due to the extensive usage of internet, digitization and virtualization, there is an

increasing risk and threat encountered by the people, processes and technologies
within an organization. Cyber Security is the body of technologies, processes and
practices designed to protect networks, computers, applications and data from
compromise (i.e., loss of confidentiality, integrity or availability), typically via the
internet or other forms of connectivity It also helps support the resiliency of the
system to recover from a cyber- attack.

2. Cyber risks

Cyber risks represent the possibility that technologies, processes and practices at
MGB can be circumvented, allowing unauthorized users to (including but not limited
to):
• Modify and/or delete key applications and information, which will affect the
accuracy or integrity of processing
• Access or extract protected or sensitive information (e.g., IP, proprietary
information, credit card information, Pll)
• Disrupt computer-controlled operations or access to online systems

3. Cyber Threats (Threat Land scape )

1. Types of Threats and Attacks

Refer Annexure-1

2. Cyber Attack Lifecycle -

Illustrative Refer Annexure-2

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter B: Cyber Security Governance ...............
; ? ''i*
; */Vtc? /
* i1
Chapter B: Cyber Security Governance

The Bank’s cyber security governance structure is defined in this section.

1. Management Strategy

In response to the cyber-attacks, management at MGB has set up a management

strategy to protect its IT assets from cyber-attacks and respond to any cyber-attacks,
threats in a timely and appropriate manner to ensure confidentiality, integrity and
availability of data/IT Systems. The cyber security strategy that is used at MGB is to
Identify, Protect, Detect, Respond and Recover & Learn which is as explained below.

# Stage Description

Identification of critical assets and management of cyber security

1 Identify
risks
Safeguarding continually identified assets by deploying controls
such as security architecture mechanisms, event correlation
2 Protect
systems, intrusion prevention and detection systems, and
enforcement of secure configurations.
Detecting incidents related to attacks or anomalies through
3 Detect
continuous monitoring of critical infrastructure
Take steps to assess the incident impact and take appropriate
4 Respond
response measures including escalation to relevant authorities

Confidential Document ----- - 9 y fií 'i* )

J vC/
Cyber Security Policy & Standards vl.O - Chapter B: Cyber Security Governance
->? 5
ni f nr, / . ‘‘
Recover from incident in a timely manner adequatelyifbllowingn
the organization’s incident management, business^œntinuityk
5 Recover and disaster recovery policies and procedures and to ensure
that there is no loss of confidential data and that its IT assets are
protected against cyber-attacks.
Post recovery, record the relevant learning’s from the cyber­
6 Learn
incidents and form a plan to prevent similar incidents.

2. Cyber Security Awareness

1. Training programs on cyber security awareness and evolving best practices shall
be conducted.
2. Top management/senior officers of the Bank will be deputed or will be exposed
to seminars/training on Information and cyber security.
3. The bank will design suitable training programs and workshops, if necessary in
collaboration with external experts to disseminate knowledge to all appropriate
levels.
4. The Bank should form and be a part of various communities and forums for
knowledge sharing and combating cyber-threat cyber-attacks.

3. Roles and Responsibilities

This section is to be read along with IS Policy and Standards.

3.1. Organizational Frame work

Well-defined roles and responsibilities of Board and Senior Management are

imperative, while implementing Cyber Security Governance, Stakeholders
include:
- Board of Directors
- Information Security Committee
- CM of respective departments
- Business Teams
- IT Steering Committees(operating at an executive level and focusing on
priority setting, resource allocation and project tracking)
- Risk Committees

3.2. Organization Structure

The Board of Directors is ultimately responsible for cyber security. Senior

Management is responsible for advising and making the Bank employees
understand and train them about the cyber security risks to the Bank to ensure that
they are adequately addressed from a governance perspective. The major role of top
management involves implementing the Board approved cyber security policy,
establishing necessary organizational processes for cyber security and providing
necessary resources for successful cyber security.
Confidential Document
f « r ¿° 1
Cyber Security Policy & Standards vl.O - Chapter B: Cyber Security Governance
*%»■*»*
n* i r* J >
3.3. Information Security Committee (ISC)
{50 2 AUG ?0’8-
Information Security Committee > ... .
Serves as an effective communication channel for management’s aims and
directions and provides an ongoing basis for ensuring alignment of the security
programme with organizational objectives. Major responsibilities of the Information
Security & IT Risk Committee, inter-alia, include:

1. Develop and facilitate the implementation of information security policies,

standards and procedures to ensure that all identified risks are managed within
the Bank’s risk appetite.
2. Approve and monitor major information security projects and the status of
information security plans and budgets establishing priorities approving standards
and procedures.
3. Support the development and implementation of a bank-wide information security
management programme.
4. Review the position of security incidents and various information security
assessments and monitoring activities across the bank.

5. Review the status of security awareness programs.

6. Assess new developments or issues relating to information security.
7. Report to the Board of Directors on information security activities.

3.4. Computer Emergency Response Team-

It will consist of the following officials:

3.5. Chief Information Security Officer (CISO)

1. A sufficiently senior level official, of the rank of GM is designated as Chief

Information Security Officer, responsible for articulating and enforcing the policies
that bank uses to protect the information assets apart from coordinating the
security related issues/implementation within the organization as well as relevant
external agencies.
2. The CISO has a working relationship with the CIO to develop the required rapport
to understand the IT infrastructure and operations, to build effective security in IT
across the bank, in tune with business requirements and objectives.
1. In event of a cyber security incident, CISO shall coordinate the response
activities across the Bank as well as coordination and interface with sponsor
Bank.
2. Crisis identification
3. Oversight of incident response activities
4. Oversight of the cyber resilience measures

Confidential Document
1 QW5 &> I G)
T -a -—
Cyber Security Policy & Standards vl.O - Chapter B: Cyber Security Governance
I Hi
I*L* « ♦J. «
.. __ - {.
3.6. Security Operations Centre (SOC) > -.4 Hfi.1? f *

The responsibilities of the SOC shall include-

1. Detecting security incidents related to attacks or anomalies through
continuous monitoring of IT infrastructure.
2. Analyze the logs in the event of crisis.
3. The SOC shall be responsible for reporting, tracking, monitoring and closure
of incidents.
4. Determine the scope of an internal investigation once an attack has occurred
5. Identify and classify incidents.
6. Assess threat intelligence and the proactively identify/visualize impact of
threats on the Bank.
7. Identify threat vectors and develop use cases for security monitoring.
8. Develop and maintain the technical architecture of the Security Incident and
Event Management (SIEM) tool enabling all the components to perform as
expected.
9. Inform incidents to the GM and take appropriate action for the cyber-attacks.
10. Conduct follow up reviews on the effectiveness of the Bank’s response to an
actual attack.
11. Conduct any investigations within the determined scope.
12. Promote cyber security awareness within departments.

The responsibilities of the Cyber-SOC shall be

1. Providing threat intelligence
2. Cyber threat analysis across security domains
3. Cyber security incident management
4. Cyber security training

3.7. Cyber War Room

A war room needs to be established to carry out responsive activities to a cyber­

attack. All powers of the Board shall be exercised by Chairman on advice of the
GM Admin to deal with the crisis, including creation, governance and
continuation of operation of the war room. The war room should consist of the
following key personnel:

1. The application developers /vendors

2. Data base Administrators
3. Concerned Department Heads
4. External experts
5. Forensic team/experts

Confidential Document 12
Cyber Security Policy & Standards vl.O - Chapter B: Cyber Security Governance
•*t fast* n $*
4. Cyber Attack Prevention Strategies & Plans

Cyber resilience
Cyber resilience is defined as the ability of the Bank to anticipate withstand
cyber- attacks and the capability to contain, recover rapidly and evolve to
improved capabilities from any disruptive impact caused due to cyber-attacks.
Below are the practices to be followed to with stand Cyber-attacks:

Test preparedness to withstand cyber attacks

Exercising and Testing

As per guidance & support line of sponsor Bank
CM-IT Risk in co-ordination with GM Admin shall develop various
exercises such as crisis simulation exercises, mock drills etc. which assess the
adequacy and consistency of Cyber crisis management plan. Red team testing
exercise shall also be performed to measure the Bank’s defensive and
responsive capabilities. These exercises & tests shall be conducted at planned
intervals or whenever significant changes occur in sponsor Bank.

5. Risks

Failure to adhere to this policy and the procedures may put the Bank at cyber risk from
cyber security incidents.
Cyber security incidents can result in a broad range of negative consequences,
including reputational loss, financial loss, non-compliance with standards and
legislation and liability to third parties. A cyber security Incident could occur at any
point of the life cycle of the affected information (i.e., at its creation, collection, use,
processing, storage, disclosure, deletion or destruction).
The Bank will therefore regularly under take risk assessments to identify, quantify
and prioritize risks associated with its cyber security and subsequently develop
controls to mitigate such risks. The Bank will undertake risk assessments using a
consistent and systematic approach.

Confidential Document 13
Cyber Security Policy & Standards vl.O -
Chapter C: Policy Categories - ' r& *£ I

4. Network Management and Security '..'Û.2 XU£ ?0)0-.

Policy Statement

Category 1. Inventory Management of Business IT Assets

Chapter C: Policy Categories

1. Inventory Management of Business IT Assets

Policy Statement

To maintain appropriate protection of Bank's Information Assets. All information

assets shall be classified and protected in accordance with criticality and
sensitivity.
Please refer to IS Policy & Standard vl.O
To ensure installation and usage of only approved software’s in the Bank.
Please refer to IS Policy & Standards vl.O
Physical access to Bank's premises and supporting infrastructure shall be
controlled to prevent, detect and minimize the risk of unauthorized physical
access and damage to Bank's information assets. Appropriate prevention and
detection controls against environmental hazards shall be implemented.
Please refer to IS Policy & Standards vl.O
To ensure the protection of information through network security controls in Bank's
network across India and international locations.
Please refer to IS Policy & Standards vl.O
Standards
-• Owner/
Standard Operating Procedures
#■ Responsibility
Establish Standard Operating Procedures(SOP)for
connecting devices to the network including all
A Network Team
major IT activities such as deployment,
maintenance and decommissioning

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - %/v 1
Category 6. Application Security Life Cycle (ASLC) * .7 vf. j 5
ù ri t
6. Application Security Life Cycle (ASLC)
3 2 AUb 2018
Policy Statement

Bank's systems shall be configured for security, reliability and stability and all such
configurations should be documented. Systems should follow standard naming
conventions for efficient identification in configuring and in problem solution.
Please refer to IS Policy & Standards v1.0-
Applications should have controls to secure input, output and securing of storage.
Please refer to IS Policy & Standards v1.0-
Standards

aseline Controls
Specify security requirements relating to system
access control, authentication, transaction
authorization, data integrity, system activity
ISD
6.1 logging, audit trail, session management, security
event tracking and exception handling at the initial
and ongoing stages of system
development/acquisition
/ Implementation.

Confidential Document
ï I
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 7. Patch/Vulnerability & Change Management ? hr ’ ?'? 7 if Î

7. Patch / Vulnerability & Change Management * f -r

* '
* '' o 2 AUG 7018
X V •„
• » »”
Policy Statement

All changes to Information assets must be recorded, classified, assessed for risk,
impact and business benefit, approved and implemented in a controlled manner.
Information assets and systems of the bank shall be updated in a timely manner
with security patches for known vulnerabilities.
Standards
3 Owner/
um .......................... Responsibil
Changes to business applications, supporting
technology service components and facilities will
7.1 be managed using robust configuration Application Owner
management processes, configuration baseline
that ensure integrity of any changes.
Conduct application security testing of web/mobile
applications throughout their lifecycle in an
7.2 ISD
environment which is closely resembling or replica
of production web/mobile application environment.
Follow a documented risk-based strategy for
inventorying IT components that need to be
patched, identification of patches and applying
7.3 Application Owner
patches so as to minimize the number of
vulnerable systems and the time window of
vulnerability/exposure.

Confidential Document
J wsTi &
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - w
Category 8. User Access Control/Management if »
8. User Access Control/Management • •J ■ z '
Lv-Jl 2 AUb 20 lb
Policy Statement

Access to information and information systems shall be according to the principles

of least privilege and need to know basis to authorized users.
Please refer to IS Policy & Standards vl.O -

Standards
Owner/
Responsibility
Use of VBA/macros in office documents shall be
monitored using appropriate tools (Refer Annexure
8.1 - 3). Files received/sent via email attachments will Application Owner
be scanned to detect malware, VBA/macro,
executable, etc. before use.

. -if
Confidential Document
1
' if.
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 9. Authentication Framework for Customers

9. Authentication Framework for Customers

Policy Statement
The access to customer information and critical customer data will be controlled
and managed to prevent against leakage/ attacks.
Standards

Authentication framework / mechanism to provide

9.1 identify verification of Bank to customers’ needs to Application Owner
be implemented.
Ensure that all the credentials of the customer are
9.2 encrypted and stored transmitted through secure Application Owner
channels.
The Bank will act as the identity provider for
identification and authentication of customers for
9.3 Application Owner
access to partner systems using secure
authentication technologies.

Confidential Document .*■— ~~

Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - * *î» »
Category 11. Vendor Risk Management $ r.’ * ?r \
i i, > w / 7 t
10. Secure mail and messaging systems <<* <>
’A•
? 0 2 AUS .20.18:
Policy Statement
Email service should be configured to control data leakage and prevent any
malicious code entering Bank's infrastructure.
Please refer to IS Policy & Standards v1.O-

11. Vendor Risk Management

Policy Statement

Supplier contracts shall include information security requirements, specific

responsibilities and consequences for unauthorized access to information systems
of the Bank. Access by suppliers to any information asset shall be strictly limited
and controlled on a need to know and need to have basis. An assessment of
supplier access risks should be made and appropriate controls should be applied
to reduce the residual risk to an acceptable level.
Please refer to IS Policy & Standards v1.0-
Standards
■■ „ Owner/
No. Baseline Controls
__________Responsibility —
Evaluate, assess, approve, review, control and
monitor the risks and materiality of all
vendor/outsourcing activities and develop
11.1 appropriate policies to support baseline System Application Owner
security configuration standards. Standard
Operating Procedures and IS Checklist will be
followed for third parties______________________
All information resources(online/in-person)that are
11.2 consumed by the Bank will be made accessible to Information owner
Reserve Bank of India when sought
The Bank will adhere to the relevant legal and
regulatory requirements relating to geographical
Information owner
location of infrastructure and movement of data out
of borders

■)
Confidential Document
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - > *•'*'*'*
Category 12. Removable Media *
, V
'■ Í * 7 '.7 /
12. Removable Media
? D 2 AU6 211« i
Policy Statement

Usage of removable media shall include security of removable media and

information in it, defining specific access controls for secure usage and storage of
information contained in removable media with Bank's information systems.
Please refer to IS Policy & Standards vl.O -
Standards
■” " I Owner/
Baseline Controls
4
Types of media which can be sent/received/copied/
HI! Responsibility
Information
12.1 transferred from devices should be defined and
Custodian
limited to particular file formats
Centralized policies through Active
directory/Endpoint Management system to white Information
list/blacklist/restrict the use of removable media will Custodian
be implemented

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 13. Advanced Real-time Threat Defence and Management
"?? ? *
'îA7 /

2 AU6 ,?Wg:
13. Advanced Real-time Threat Defense and Management
Policy Statement
To ensure the protection of information through real time monitoring of threat
landscape for Bank's network across India.
Standards
■ Owner/
No. Baseline Controls
_________________________ Responsibility
Network team/Anti-
The Bank will build a robust defense against the
13.1
Virus
installation, spread and execution of malicious
team/Application
code at multiple points in the enterprise.
Owner
The Bank will Implement Anti-malware, Antivirus
protection including behavioral detection systems
for all categories of devices - (Endpoints such as
PCs/laptops/ mobile devices etc.), servers Network team/Anti-
13.2 (operating systems, databases, applications, etc.), Virus team I
Web/lnternet gateways, email-gateways, Wireless Application Owner
networks, SMS servers etc. including tools and
processes for centralized management and
Monitoring.________________________________
A white list of authorized websites required for
13.3 business operations shall be defined and Network Team
maintained.
Implement secure web gateways with capability to
deep scan network packets including secure
13.4 Network Team
(HTTPS, etc.) traffic passing through the web/inter
net gateway

I 17^ ÖJ IH j
Confidential Document
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 14. Anti-Phishing
f; " Î
\
c
f ,y
t ¿i.4
I
r
**
14. Anti- lì.-
. 0V*ù-2 . . *- "» 20»
AUb v*
Policy Statement

To ensure the protection of Bank’s information assets and end users from phishing
attacks.
Standards

No. Baseline Controls

! }W ________________
The Bank shall subscribe to Anti-phishing/anti-
rouge application services from external service Application Owner/
14.1
providers for identifying, protecting and responding ISD
to phishing websites/rogue applications.

Confidential Document ----- j 22 -

Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - » »x-»««.
Category 15. Data Leak Prevention Strategy '• I': ’ *jf
f t'7 -«c* icftZl I
15. Data Leak Prevention Strategy

Policy Statement

To ensure the protection of Bank’s data against leakage.

Standards
No. Baseline Controls Owner/ Responsibility
¡««MM
15.1 Develop data loss/leakage prevention Information owner
strategy to safeguard sensitive (including
confidential) business and customer
Data / information.
15.2 The Data loss/leakage program shall Information owner
include protecting data processed in end
point devices, data in transmission, as well
as data stored in servers and other digital
stores, whether online or offline.
15.3 Data security and protection should be Information owner
ensured at the vendor managed facilities as
Well.

Confidential Document
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 16. Maintenance, Monitoring and Analysis of Audit Logs

16.Maintenance, Monitoring, and Analysis of Audit Logs

i 0 2 AUG 2018
V* A < VA A V f
Policy Statement

Logging, monitoring and reporting capabilities shall be implemented to detect

security events.
Please refer to IS Policy & Standards vl.O

Confidential Document
! JZ5 * J '
 ' z 7? J
L A — *
Cyber Security Policy & Standards vl.O-Chapter C: Policy Categories- f li?l >
Category 18. Vulnerability assessment, Penetration Testing and Red Team Exercises Q.p
Z.AUG.?0.!8.
18.Vulnerability assessment,Penetration Testing and Red Team Exercises

Policy Statement

To ensure consistency in audit logs of Bank’s systems.

Please refer to IS Policy & Standards v1.0-

To ensure the protection of applications and systems by performing periodic
Vulnerability assessments and penetration testing for Bank's application
landscape and infrastructure components across India and foreign fices. Red
Team assessments reviews must be conducted to identify response and
remediation capabilities of the Bank.
Please refer to IS Policy & Standards v1.0-
Standards

No. Baseline Controls

The Bank will perform attack and penetration
assessments on any new or emerging technologies
before they are adopted, mainly public facing
18.1 systems, as well as a risk-based to test existing ISD
applications and infrastructure. Such assessments
will only be carried out by professionally qualified
teams.
The Bank should conduct and participate in cyber­
18.2 drills conducted under CERT-ln ,IDRBT and other ISD
relevant organizations

*
Z j. - ‘1
V '■)
Confidential Document 25 ’«LX
 * V ***
■■■ y? '^1 Ü >
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - r
Category 19: Incident Response and Management
•M 2
19. Incident Response & Management

Policy Statement

A formal information security incident management process shall be established

to discover, report, respond and prevent information security events and
weaknesses effectively.
Please refer to IS Policy & Standards vl.O -
Standards

Owner/

The BCP/DR capabilities will ensure data integrity

and security and will be able to recover rapidly
19.1 from an attack and resume critical services in Application Owner
accordance with recovery time objectives and
should support the Bank’s cyber resilience
objectives.

Ensure that all interconnected systems and

networks including those of vendors and partners
19.2 and readiness demonstrated through collaborative Application Owner
& co-ordinated resilience testing that meet the
Bank’s recovery time objectives.
For Incident and Cyber Crisis; a comprehensive
management plan shall be referred. Please refer
19.3 ISD
Cyber crisis management plan (CCMP) developed
in line with RBI’s cyber security frame work
mandate.

Ì B? I4C
Confidential Document 26
 t : 4
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 20: Risk based transaction monitoring r ¿'i / :

20. Risk based transaction monitoring

Policy Statement

To ensure continuous monitoring of Bank's transactions based on their criticality

so that customers are notified within no time regarding any suspicious or
fraudulent transactions.
Standards

asSvn

Monitoring /surveillance processes will be

20.1 Information Owner
implemented for combating cyber fraud.
The Bank shall notify the customers about the
transactions, payments, funds transfer initiated on
20.2 Information Owner
the account through multiple communication
channels as preferred by the customer.

Confidential Document 27
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 21: Metrics ;
~ a? /
21. Metrics * />-
?? 2 AU6 7018
Policy Statement

To develop a set of metrics that provides prospective and retrospective measure

like Key Performance indicators.
Standards

Owner/
Prospective Measures

Identify and maintain a count of the third party

21.1 applications being used and their respective Application Owner
access levels granted

Maintain a count of the physical security incidents End User (report to

21.2
on critical areas IT-RMD)

Aggregate and measure the environmental

21.3 incidents such as (fire, water, temperature and End User (report to
humidity, power failure, earthquake) and document IT-RMD)
the incident and its effect on the Bank.
Regular maintenance record of services such as
water supply, sewage, heating, ventilation and air Information
21.4
Conditioning in critical areas should be maintained Custodian
and uptime of the services will be documented.

21.5 Maintain a count of physical simulation exercises ISD

and cyber drills conducted by the Bank

21.6 The number of attempts made by unauthorized Network Team

devices to the Bank’s network
Maintain a performance and downtime measure of
21.7 network products such as firewall,IDS,IPS,routers, Network Team
modem, NIC, DHCP server, VPN, switches, cables
etc.
21.8 Maintain a count of network security incidents Network Team

Maintain account of the successful and Application

21.9
unsuccessful remote access attempts by the end- Owner/ISD
user.
A quantifiable record of unauthorized attempts to
21.10 access the Bank's system, network, infrastructure ISD
and services will be maintained
Maintain a performance record of the Operating Deputy CTO -
21.11 Systems used by the Bank on all its systems, Infra
network infrastructure in critical areas
_________ /£
Confidential Document j £7 m
 v % -v A.-W
' ' ' >? 7 7? '
Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories -
Category 21: Metrics
• H-ì '■ AUU 'j;g
Measure and track all activities of the users on Application
21.12 Bank’s corporate website and the website analytics Owner/Analytics
should be documented, (count the number of tabs Department
open In browser)
Maintain the successful and unsuccessful attempts
21.13 of the anti-virus to combat infections on the Bank's PE I
network
21.14 Maintain account of the mobile devices registered PE I
for MDM.

21.15 Maintain a count of the vulnerabilities encountered, ISD

identified and remediated.

21.16 Evaluate and keep a count of the VA/PT/Application ISD

Security results

21.17 Maintain records of Successful attacks on the IT Networking

network and combat mechanisms implemented. Department
Maintain record and count of the successful and
21.18 unsuccessful red team exercises performed on the ISD
Bank's system, network, infrastructure and
services

21.19 Maintain a record and measure of the Fraud Fraud Monitoring

occurrences in the Bank's transactional services Cell (FMC)
Partner
21.20 Maintain a count of vendor engagements and
relationship
interactions
Department
Partner
21.21 Measure the success rate, utility and performance,
relationship
SLA violations of the vendors.
Department
Partner
21.22 Maintain a count and violations occurrences while
relationship
conducting vendor risk assessment
Department

21.23 Maintain a count of IS training conducted and

ISD
number of attendees of the sessions
Maintain a count of the customers educated and
21.24 reached with the help of customer awareness ISD
initiatives

21.25 Maintain are port indicating latency of patches

Application Owner
being deployed in the Bank post OEM releases

Confidential Document <*• *r*>i

Cyber Security Policy & Standards vl.O - Chapter C: Policy Categories - • ** ►'X ■*. •*
Category 22: Forensics ■ -7 7 ?

22.Forensics H’D 2 KUI) ?uw;

Policy Statement

To ensure that the all systems of Bank have forensic capabilities. Electronic data
shall be gathered and preserved in a systematic, standardized and legal manner
to ensure the admissibility of the evidence for the purpose of any legal
proceedings or investigations.
Standards

IQ9
...
Baseline Controls
Owner/
Responsibility
The Bank shall empanel appropriate and qualified
22.1 team of forensics investigators and carry out ISD
investigations of cyber-attacks.

1
Confidential Document
Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks ...
2 Abb ZUlfi
To ensure protection of Bank's information assets against misuse and / or
compromise, define and communicate to users I employees, vendors & partners
the Bank’s security policies, educating them about cyber security risks and
protection measures at their level
Vl.O

24. Customer Education and Awareness

Policy Statement

Create a safe and secure environment for customer records within and outside the
Bank and make the customers aware about prevention of fraudulent activities.
Please refer to IS Policy & Standards vl.O

Confidential Document
Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks
r :7 Î
Annexures
Annexure 1: Types of Threats ' o 2 kug

Threat Possible reason for attack

The possible reason for such a threat is due to existence of the
Unsophisticated
Bank over the internet and having vulnerability.
attackers
The possible reason for such a threat is due to existence of the
Sophisticated
Bank over the internet and having information of value.
attackers
Corporate
The possible reason for such a threat is an attempt to gain access
espionage
to trade secrets through dishonest means.
Organized crime
The possible reason for such a threat is to achieve financial gain.
State-sponsored
attacks and The possible reason for such a threat is due to the type of work the
advanced persistent Bank does and the value of its Intellectual Property.
threat

, < .......... - . ..... * ■’

Type of Hackers Motivation Includes:

A hacker that does not

possess technical expertise • Thrill of the Challenge
Script Kiddies and relies on pre-developed • Malicious Intent
scripts and programs to • Financial Gain
perform attacks
A hacker that break into
• Thrill of the Challenge
systems/network for
Thrill-Seeker • Admiration of fellow
entertainment value(non-
hackers
malicious intent)
An employee/consultant
that performs security
exploits within their firm’s
system/network utilizing • Revenge
Insider Hacker organizational knowledge. • Exposing firm weaknesses
Typically this type of hacker • Deception/fraud
is a disgruntled/departing
employee, contractor or
whistle blower
A socially or politically • Promotion of political or
motivated hacker with the social beliefs
Activist
intention of fulfilling a social • Website and Social Media
or political agenda. Defacement
A hacker with threatening
• Invoke Terror/Fear/Panic
objectives such as harming
Cyber terrorist • Disruption
people or destroying critical
Systems and / or • Cause chaos
information.
Cyber Warriors/State A hacker that works for a • Promote governmental
Sponsored specific governments to beliefs / «T
Confidential Document
It <»•->,
! ® I 2) 2, 3<'"vv-
 • •«. V
f e*~-
* zi? 7 \
Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks ?

serve their • Damage economies

Military/economic • Invoke Terror/Fear/Panic
objectives via cyberspace. • Exert Dominance
These hackers have • Cause chaos
limitless time and funding to
target civilians,
corporations, and
enemies of the state.
Individuals that are hired by
a company to break into Identify
their system/network to weaknesses/vulnerabilities
White-Hat/Ethical
discover potential security Assist a company with
lapses/ hardening their security
weaknesses/vulnerabilities
Malicious hackers that
exploit security
vulnerabilities for personal
gain. They may also Thrill of the Challenge
Black-
destroy information they Malicious Intent
Hat/Criminal/Dark Side
find, steal passwords, and Financial Gain
steal sensitive data,
negatively impact
technology
operations___________________
A hacker that is a cross
between a white hat and
black hat hacker. This type
of hacker will break into a
system/network without the
owner’s consent/knowledge • Identify and disclose
and will publically disclose security vulnerabilities
Grey-Hat
any security publically
Vulnerabilities/flaws. • Recognition from peers
However, they do not take
advantage of the flaw for
their own personal gain.
Their goal is to help a
company improve.___________ _
Hackers that are for profit
and hired to engage in
electronic corporate
espionage. They will • Malicious Intent
Crackers
commonly use dumpster • Financial Gain
diving and social
engineering to accomplish
their objectives._______________
Hackers that are hired by
corporations to infiltrate
their competitors and
Malicious Intent
Spy Hackers obtain/steal competitive
Financial Gain
information such as
Intellectual property and/or
trade secrets.
Confidential Document
 > ,-c 7 -# ;
Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks

- >x. ■ KHI ? AUÜ ?0ib

Motivation Includes:

Individuals that are paid by

a company/organization to
Spammers/adware push spam/adware as
• Financial Gain
spreaders forms of illegal advertising
to promote products or
promotions.

Types of Attacks

Malicious users or Hackers can carry out cyber-attacks using a variety of methods.
The following are the common types of attacks:
• Malware-Software or code snip designed to cause harm to your computer
and/or network security.
• Social Engineering - Utilizing manipulative methods to obtain (confidential)
information through unauthorized methods.
• Vulnerability/Exploit Attacks- Attacks executed by sophisticated hackers that
utilize a combination of knowledge, tools and exploitation of technology
weaknesses.
• Other Attacks

Malware
Malware based attacks include the following:

• Virus - Software with malicious intent to cause disturbance or damage. When

the software is executed, the virus attaches itself to a program/file to replicate
and spread throughout your system files (infecting) with the objective of
damaging computer/network operations.
• Worm-Similar to avirus worms software that replicate and spreads itself, but
not only from file to file, but from computer to computer via email and other
internet traffic.
• Trojan Horse-Software that can either hide inside other software or appear to
be legitimate software. Unlike a virus or worm, a Trojan horse does not
reproduce or self-replicate, but is spread by opening/launching infected email
attachments or internet files.
• RAT (Remote Access Trojan)-is a malware program that includes a backdoor
for administrative control over the target computer. RATs are usually
downloaded invisibly with a user-requested program - such as a game - or
sent as an email attachment.
• Spyware - Malicious software that collects and monitors user information and
activities on the computer/network without their knowledge that is sent to
another entity/individual for purposes such as advertising or other malicious

Confidential Document
Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks '-
1 ft.
Ransom ware - Software that limits or restricts users from accessing their '
system or certain files until a ransom is paid. Often hackers will employ
encryption methods to prevent access to the files until the ransom ispaid.

Social Engineering
Social Engineering Attacks include the following:
• Spoofing - Altering the return address on an email to deceive the receiver of
that email message that the email came from someone other than the actual
sender.
• Identity Spoofing (IP Address Spoofing) - A method of deception by using
another IP address (that is not your own) to access the network that is usually
used as on-line camouflage to mask their activities and/or gain unauthorized
entry.
• Phishing (emails) - Deception that often uses legitimate-style emails with the
objective to fraudulently obtain sensitive/confidential information (i.e. asking
you to enter your username, password, debit card number, ATM Pin etc.)
• Spear Phishing - Similar to Phishing, but is targeted to a specific organization
or group. It is a realistic email with a link to a malicious website used to
download malware or gather private information.
• Vishing -Like Phishing, except that this method uses telecommunication
(phone calls) to solicit personal information.
• Smashing - Like Phishing, except that this method utilizes cell phone text
messages to solicit your personal information.
• Pharming - Redirection to a fraudulent websites without your consent or
knowledge.
• Baiting - Baiting is in many ways similar to phishing attacks. However, what
distinguishes them from other types of social engineering is the promise of an
item or good that hackers use to entice victims. Baiters may offer users free
music or movie downloads, if they surrender their login credentials to a certain
site.
• Pretexting - Pretexting is another form of social engineering where attackers
focus on creating a good pretext, or a fabricated scenario, that they can use to
try and steal their victims’ personal information. These types of attacks
commonly take the form of as cammer who pretends that they need certain
bits of information from their target in order to confirm their identity.

I
Confidential Document
J f 1 35’
 f ; ' - -5 7 '

Cyber Security Policy & Standards vl.O - Annexure 1: Types of Threats and Attacks . J - •< f 1

Vulnerability/Exploit Attacks ■ .¿I J v Mi IB

Capacity based attacks take advantages of vulnerabilities that exist with space of
capacity of technology. Examples include:

• Denial of Service (DOS) Attacks - Flooding a server or network with so many

requests for service that it slows down and/or crashes resulting in the
prevention of legitimate customers/users from obtaining access.
• Distributed Denial of Service attacks (DDOS) - A DDOS attack whereby the
attacks come from multiple computers at the same time causing the
website/network to become disabled.

(Bone t/Zombie - Commonly used for DDOS and DOS attacks.)

Exploit based attacks take advantage of vulnerabilities identified in software.
Examples include:

• Man in the Middle (MITM) - An attack used to monitor and potentially modify
communications between two users. For example, the attacker could intercept
thepublickeymessageexchangewithaprivatekeyandcontinuetoretransmit the
message while actively eavesdropping without the users ’knowledge.
• Man in the Browser-Similar to a MITM attack, how evera Trojan horse issued
to intercept and manipulate the communications.
• Injection Attacks-A type of attack where by malicious commands are sent to a
system/application through unauthorized channels. The commands can allow
attackers to create, read, update, or delete data that is available on the
system.
• Cache Poisoning - This type of attack introduces false or malicious data into
cache memory and then enables the attacker to use exploit tactics.
• Logic Bomb- The attacker exploits a logical error in the code of the application
to perform malicious activities

Other Attacks

Other types of cyber-attacks include:

• Advanced Persistent Threat (APT) - A long term hack with the intent of
infiltrating a network/computer to gain unauthorized access for an extended
period of time without being detected (stealthy). The objective is generally to
obtain valuable information and data for business and/or political motives.
• Webdefacing (Defacement)-Replacing the content of a website typically with
negative/anti-company information.
• Brute-ForceAttack-Theuseofapasswordcrackertoobtainauser’spassword and
then access their account/system without their knowledge. (Not used in
modern times, as most companies have password configurations set up, as
required by standard audit procedures)
• Internal Threats based attack- The threat exposure created by an internal
employee in-order to make his/her task easier is used by an attacker for
A
malicious intent *
Confidential Document | w
U I 36 w
l» iRWf
u M
Cyber Security Policy & Standards vl.O - Annexure 2: Cyber Attack Lifecycle - Illustrative ; / . IV-Jrl jf
•J /
Annexure 2: Cyber Attack Lifecycle - Illustrative * *

Point where
: Polenfial detection i most targets
i point with robust are notified of
threat intelligence | detection the attack
(generally by
third parties)

intelligence initial Command Privilege Data

gathering exploitation and control escalation exfiltration)

E»e««te
r<sfearefe affaek

The cyber-attack lifecycle is as illustrated above for better understanding of how a

cyber-attack Is executed and what are the steps followed in general by an attacker.
The steps in a cyber-attack lifecycle are explained below:

► Step-1 ¡Intelligence gathering or reconnaissance: During this phase of cyber­

attack, criminals, cybercriminals or hackers carefully study their victims and
plan their attacks, often using social engineering, phishing, email address
harvesting,andothertacticstoresearch,identify,andselecttargets.Theyalso
usevarioustoolstoscannetworksforvulnerabilities,services,andapplications that
can be exploited.
► Step 2: Initial Exploitation: the attacker determines the malware payload and
the method that will be used to deliver it. For example, data files or web pages
can be weaponized with exploits that are used to target the victim’s vulnerable
software and delivered via an email attachment or drive-by download. A drive-
by download delivers advanced malware or an exploit in the background,
without the user’s knowledge, usually by taking advantage of vulnerability In
an operating system, web browser, or other third- party application
The attacker generally has two options for exploitation:
■ Social engineering is a relatively simple technique used to lure someone
Into clicking a malicious link or opening a malicious executable file, for
example.
■ Software exploits is sophisticated technique since they essentially trick the
operating system, web browser, or other third- party software into running
anattacker’scode.Thismeanstheattackerhastocraftanexploittotarget
specific vulnerable software on the endpoint. Once exploitation has,
succeeded, an advanced malware payload can be Installed.
- w |
Confidential Document ! 1
?
 • 7«7?»7 .7?
7 ¿t Ï/7 I
Cyber Security Policy & Standards vl.O - Annexure 2: Cyber Attack Lifecycle - Illustrative
if*,
► Step-3: Command and Control (CnC): ’ •UL
Communication is the lifeblood of a successful attack. Attackers must be able
to communicate with infected systems to enable command and control, a'hd to
extract stolen data from a target system or network. This communication can
also be used by the attacker to move laterally, targeting other systems on the
victim's network. Thus, the initially infected target may only be the first entry
point that enables lateral movement toward the attacker’s ultimate objective.

CnC communications are generally stealthy and can’t raise any suspicion on
the network. Such traffic is usually obfuscated or hidden through techniques
that include thé following:

o Encryption with SSL, SSH, or some other custom application,

o Circumvention via proxies, remote desktop access tools, or by tunneling
applications within other (allowed) applications or protocols,
o Port evasion using port hopping to tunnel over open or nonstandard ports,
o Fast Flux (or Dynamic DNS) to proxy through multiple infected hosts,
reroute traffic, and make it extremely difficult for forensic teams to figure
out where traffic is really going.

► Step-4: Privilege escalation:

Once a target endpoint has been infiltrated, the attacker needs to ensure
persistence (resilience or survivability).Various types of advanced malware
are used for this purpose, including the following:
o Rootkits are malware that provides privileged (root-level) access to a
computer.
o Boot kits are kernel-mode variants of rootkits, commonly used to attack
computers that are protected by full-disk encryption.
o Backdoors enable an attacker to bypass normal authentication procedures
in order to gain access to a compromised system and are often installed
as a fail over, in case of the malware is detected and removed from the
system.
o Anti-AV software may also be installed to disable any legitimately installed
antivirus software on the compromised endpoint, thereby preventing
automatic detection and removal of malware that is subsequently installed
by the attacker. Many anti-AV programs work by infecting the master boot
record (MBR) of a target end point.

► Step-5: Data Exfiltration:

Attackers have many different motives for an attack and data exfiltration
including data theft, destruction of critical infrastructure, hacktivism, or cyber
terrorism. This final phase of the attack often lasts months or even years,
particularly when the objective is data theft, as the attacker uses a low-and-
slow attack strategy to avoid detection.

Confidential Document
 ___ , ♦
' .. -ft 'f *
Cyber Security Policy & Standards vl.O-Annexure 3: Solutions *
T '
’ >
' ' '
1 ri*?1 ’
*
V <*
-.1 . V.Ï • C

Annexure 3: Solutions ’• 2 KÜV- '’HW'k

The following list of tools is illustrative and not exhaustive.

Description
The following solutions will be integrated for monitoring by third party
SOC
1. Firewalls & UTMs
2. Anti-Virus/Total Protection
3. Network IPS/IDS
4. DLP-End points &Gateway
5 Threat & Vulnerability management
List of Security
6. NAC
solutions to be
7. Web Application firewall
implemented in
8. Privileged Identity Management
SOC
9. Database Activity Monitoring
10. Governance Risk & Compliance (GRC)solution
11. PKI, SSL & SSO Infrastructure
12. MDM Platform/solution
13 Cloud Security & Virtualization environment
14. Any other security solution as deemed required by the Bank to
ensure confidentiality , integrity and availability of data

Identity & Access - Identity & access management solution

Management - Privilege identity/ access management(PIM/PAM)
- Network DLP
Data Leakage
- Email DLP
Prevention
- End point DLP
- End-user disk encryption
End Point Security - Desktop Firewall
- Anti-virus/Anti-Malware
- Host Intrusion Prevention System
Host Security
- File Integrity monitoring solution
- Web Access Security / Web Application Firewall
Web Security - 2-factor authentication for Internet and mobile banking ( can be
OTP, PW, Grid combo)
- DDoS Protection
- Network Intrusion Prevention System
Perimeter Security
- Perimeter Firewall
- Remote Access/VPNs
Handheld / Mobile
- Mobile Device Management solution
Device Security

Patch management - Automated patch management solution

Confidential Document
J » I &91 »,