STUDY MATERIAL ON

IT FOR NCC BANK LIMITED

(INTERMEDIATE LEVEL)

February 28, 2022

Bangladesh Institute of Bank Management [BIBM]

Dhaka, Bangladesh

Intermediate Level IT Manual for NCC Bank Limited Page | 1

 Module: IT (Intermediate Level)

Advisor : Dr. Md. Akhtaruzzaman

Director General, BIBM

Module Preparation Team : Md. Nehal Ahmed

Professor and Director (DSBM), BIBM

: Md. Mahbubur Rahman Alam

Associate Professor, BIBM

: Md. Foysal Hasan

Lecturer, BIBM

Bangladesh Institute of Bank Management (BIBM)

Plot No. 4, Main Road No. 1 (South), Section No. 2
Mirpur, Dhaka-1216, Bangladesh
PABX: 48032091-4, 48032097-8
FAX: 48033495
E-mail : [email protected]
Web: www.bibm.org.bd

Intermediate Level IT Manual for NCC Bank Limited Page | 2

 Chapter-1
Banking Technology and Its Impact on Banking Business

1.1 Information Technology and Banking

The uprising of Information Technology (IT) has ushered in a global surge in financial activity
that has never been seen before. The cost of global funds transfer has been significantly reduced
due to technological advancements and the development of global networks. Information
technology enables banks to meet the high expectations of customers who are more demanding
and technologically savvy than their previous generation. They expect to be able to bank at any
time and from any location. ICT has been providing banking solutions to handle their
accounting and back office needs.

ICT has become the heart of the banking sector in Bangladesh now-a-days. The banking
industry is the soul of every robust economy. ICT is helping the banking sector to improve its
efficiency and effectiveness of services offered to customers, and boosts business processes,
managerial decision making, and workgroup collaborations which strengthen their competitive
positions in rapidly changing and emerging economies.

Technology is and will remain fundamental to the future of banking. It provides banks with
multiple and constantly emerging channels to communicate with customers and analyze their
behaviors allowing smoother, more convenient and accessible channels for customers to use
whilst capturing more data to continually improve on this offering. This technology also means
an improvement in banks internal systems and processes, resulting in a more efficient and
ultimately more profitable bank.

All banks in Bangladesh have made substantial investments in ICT platforms and Information
systems, and built multiple distribution channels to provide online financial services to its
customers. By and large, the banks have been successful in developing state-of-the-art product
features, reducing operating costs, enhancing customer service delivery and lessening inherent
risks.

In Bangladesh, banks have established large ATM and POST networks for providing 24/7
customer services. They offer the services to its customers like electronic payment services
through virtual cash and e-cards, ATM/POS, Mobile Banking, Internet and Apps Banking etc.

Intermediate Level IT Manual for NCC Bank Limited Page | 3

Many banks have installed POS terminals in major shops, hotels, sales centers etc. all over the
country. Some of the technology-driven banks are providing internet banking channel with the
inclusion of a number of customer-friendly features. The customers are now able to do banking
from any place of Bangladesh at any time.

The bank management are now thinking seriously to reduce administrative/operating cost for
profit maximization through some initiatives/measures like optimum utilizations of IT/IS
resources, reducing cash/paper-based transactions, enhancing virtual cash and digital payment,
online internal communications among the employees and others stakeholders of banks
through Intranet and Extranet platform. With a view to increase cashless transactions, banks
are now introducing innovative digital services like Mobile Apps, QR-code payment, Digital
Wallet etc.

As many financial products and services directly or indirectly depend on ICT, banks have to
think how to utilize IT resources efficiently and introduce innovative digital financial
technology to lessen the cost; improvement of the efficiency and productivity of employees;
ensuring secured, reliable and speedy internal IT operations; and how to provide better services
to the modern tech-savvy customers. Otherwise, banks may face serious IT risks as well as
business risks in the present competitive and digital age.

1.2 Benefits of IT in Banks

Information Technology (IT) helps a bank in many ways. Now, many banks use information
technology as a competitive weapon. IT is playing a key role to achieve competitive advantage.
IT reduces the cost of operation and enables banks proving quality services to the customers.
Today’s e-bank is different from traditional banks. Some of the benefits of e-banking are listed
below:
• The operating cost per unit services is lower for the banks.
• It offers convenience to customers as they are not required to go to the bank's premises.
• There is very low incidence of errors.
• The customer can get 24×7 banking facilities.
• The credit cards and debit cards enable the customers to obtain discounts from retail
outlets.
• The customer can easily transfer the funds from one place to another place
electronically.

Intermediate Level IT Manual for NCC Bank Limited Page | 4

From the discussion above, it is clear that the importance and impact of Information
Technology is immense. So, it is time to embrace the benefits of IT and move forward for
achieving competitive advantages.

1.3 Current status of Information technology in Banks of Bangladesh

1.3.1 IT Investment and Sector-wise IT Budget
In 2016, about Tk. 1793 crore was invested for IT operations in the banking sector. Total
investment up to 2019 was estimated at Tk. 42,609 crore since 1968 (considering the
installation of computer at Agrani Bank in 1968, the first installation of computer in the
banking sector of Bangladesh). And in 2020, around Tk. 1,666 crore was invested on IT System
in the banking sector (Figure-1). It is seen that IT investment in 2020 is 39.37 percent less
compared to 2019. One of the reasons for less investment in this year might be the adverse
impact of the COVID-19 pandemic on local and global business, especially the banking
business.
Figure-1: IT Investment in Banks from 2016-2020 (In Crore BDT)

2020 1666

2019 2478

2018 2021

2017 2035

2016 1793

Source: BIBM Survey

In 2020, highest portion of the IT budget was used to procure Hardware (35.6%). The amount
has slightly increased compared to previous year (29.8%). Investment in Network decreased a
bit (14%) in 2020 compared to 15.6% in 2019. Budget for IT Security, Training and Audit was
very low in last five years, though it is slightly increased for IT Security and decreased for
Training and Audit in 2020 compared to the previous year. By ignoring these three sectors, it
is not possible to ensure better IT security for banks. In this year about 26% of IT expenditure
was related to Software procurement and update. The rest of the budget went to power
management, vehicles purchase, stationary procurement and maintenance of IT equipment
(Figure-2).

Intermediate Level IT Manual for NCC Bank Limited Page | 5

 Figure-2: Distribution of IT Budget from 2016 to 2020 (% of Total Budget)
0 10 20 30 40 50

Hardware

Software 2016

Network 2017
2018
Security
2019
Training 2020

Audit

Others

Source: BIBM Survey

1.3.2 Alternative Delivery Channels (ADCs) in Banks
Bangladeshi banks have already established several ADCs to serve their customers 24 hours a
day and 365 days a year. ATM service is very popular among customers as 95% banks offer
this service. Internet banking, call center and agent banking are other popular ADCs. Also
Banking Apps has a prominent future, as 62% banks have promoted this service for their
customers (Figure-3); however, we are not habituated with some channels such as chat bot and
multi-functional kiosk that are already popular in developed countries. Chat bots are being used
by major banks worldwide, that allow banks to handle many customers simultaneously, and
social media is a valuable tool for banks to generate brand awareness, leads, sales, and revenue.
But, very few banks in our country actually used these two channels.
Figure-3: ADCs Used by Banks to Provide Online Services to Customers (% of Banks)
95
90

72
66
62
47

35

30
28

28

28
25
9

Source: BIBM Survey

Intermediate Level IT Manual for NCC Bank Limited Page | 6

1.3.3 Mobile Banking
In Bangladesh, two types of mobile banking service are available. Unstructured Supplementary
Service Data (USSD) is a menu-based service, which runs as a real-time open session between
the application and end user. USSD code can be accessed on any phone, whereas the app can
only be accessed on a smartphone with a running data bundle. Since the inception of MFS, the
flow of money into the rural parts of Bangladesh has been increasing significantly. A high
growth per year is observed in terms of number of customers, volume of transactions and
number of transactions since 2015 (Table-1).
Table-1: Growth of Mobile Banking from 2015 to 2020
2015 2016 2017 2018 2019 2020
No. of Approved Banks 28 19 19 19 19 19
No. of Banks Offering MFS 18 17 18 18 16 15
No. of Agents 561,189 710,026 786,459 886,473 971,620 1,058,897
No. of Customers 31,845,658 41,078,524 58,825,414 67,519,645 79,555,079 99,336,198
No. of Active Customers 13,218,356 15,874,325 21,065,321 37,323,000 34,646,000 32,327,000
No. of Total Transaction
1,166.05 1,473.24 1,875.64 2,272.75 2,589.8 3,172.0
(Millions)
Total Transaction Amount
1,772.76 2,346.92 3,146.62 3,788.85 4,343.18 5,616.0
(Billions BDT)
Source: Bangladesh Bank

In our country, 74% banks (providing MFS) have introduced mobile banking App. Among
them, 23% banks have developed it with joint collaboration of local vendor, 44% have
developed the app in-house, whereas local vendors have developed the app for remaining 33%
banks. Major challenges regarding mobile banking faced by banks are summarized in Box-1.

Box-1: Mobile Banking Related Problems and Challenges

• Customer awareness has become a very challenging task. Despite repeated alerts by banks, still a
large number of customers (particularly garments female workers) share their PIN resulting
fraudulent transactions afterwards.
• Liquidity crisis in agent points. Risk associated with carrying cash in order to ensure sufficient
liquidity at different agent points (especially in rural areas).
• Insufficient number of mobile banking offices nationwide to provide quick customer services such
as KYC processing, dispute resolution etc.
• Proper agent selection and monitoring mechanism.
• Commission of distributor and agent is very high.
• Limitation of Mobile Network Operators (MNOs) to provide USSD connection. Telco's charges are
high. Heterogeneous fee structure for availing USSD gateway among MNO is another problem. To
solve this problem App based MFS can be developed.
• Over the Counter (OTC) transaction is a common practice in mobile banking platform.
• Level playing field is not ensured for MFS providers.

Intermediate Level IT Manual for NCC Bank Limited Page | 7

 • Establishing distribution channel is costly.
• There is no arrangement to verify two major photo IDs i.e. Passport and Driving license.
• Marketing and promotional cost is high.
• Prevention of money laundering and terrorist financing is a great challenge.
• Service charge for cash out is very high.
• Transaction limit is low.
Source: BIBM Survey

1.3.4 Apps Banking

The term “Apps Banking” refers to the provision of banking and financial services via means
of software service, known as apps. Apps banking services are availed via instructions that are
carried by server. The customer sends a customized request to the bank with predefined
commands for each offered service. The server of the banks receives the request, decodes the
commands and executes the instructions, if the request is found to be authorized. Apps banking
service includes: balance inquiry, cheque book request, cheque leaf status, foreign currency
rate, cheque stop payment instruction, statement request by courier/post, statement request by
e-mail, last few transaction statement, available limit of credit card, fund transfer request, PIN
(Personal Identification Number) change, utility bill payment, cash deposit alert, help inquiry
etc. The following Table-4 shows the status of apps-based banking in Bangladesh. It is seen
that Private Commercial Banks (PCBs) are taking the lead proving apps-based banking
services.

Table 4: Percentage of Having Apps Banking Platform According to Bank Type

Bank Type Percentage
State Owned Commercial Banks (SOCBs) 50%
Specialized Banks (SBs) 0%
Private Commercial Banks (PCBs) 95%
Foreign Commercial Banks (FCBs) 55%
Source: Website of Banks

1.3.5 Internet Banking

At the end of 2020, 90% banks provided some sort of informational and transactional Internet
Banking services, which was only 52% at the end of 2015. There has been a satisfactory
enhancement in terms of providing Internet Banking services in our banking sector. In 2020, the
number of customers and transactions were 32,45,333 and 2,44,30,983, respectively, which were
27,42,241 and 1,98,97,516, correspondingly, in the previous year. Major challenges faced by
banks regarding Internet Banking are summarized in Box-2.

Intermediate Level IT Manual for NCC Bank Limited Page | 8

 Box-2: Internet Banking related Problems and Challenges
• Customers share their credentials to their relatives or friends.
• Customization of software to introduce new features.
• To combat with different types of cyber-attacks like Phishing, SQL injections, DOS and DDOS
etc.
• Dependency on CBS vendor and limitation of budget for purchasing security tools and
applications.
• Present fund transfer ceiling is a barrier for corporate customers.
• After introducing hardware and software-based token for 2FA, customer became dissatisfied.
In case of the use of mobile SMS as 2FA, customers are receiving SMS with little bit delay and
it makes customer dissatisfied.
• Cyber-attack and customer awareness are the major challenges for Internet Banking
transactional services. Customers have lack of awareness against phishing and IP tracing to
combat online frauds.
• Disruption in link connectivity of Web server.
• Customers get locked with their User ID as they forget their security credentials often. It is
sometimes very hard to reset their password due to lacking of their technical knowledge.
Source: BIBM Survey

1.3.6 Point of Sales Terminal (POST)

POST allows making transactions, using all types of debit and credit cards. The growth of
POST in Bangladesh is shown in Table-3.
Table-3: Number of POST
2015 2016 2017 2018 2019 2020

POS 30336 32953 37379 45896 58527 73229

Source: Economic Trend, (Feb 2021), BB

Most POSTs (91.6%) are being operated in urban areas. In Dhaka city, 86% POSTs are in
operation. In Bangladesh only, PCBs provide this service. In 2020, total number of transactions
of POS was recorded at 2.8 crore which was 3.1 crore in previous year (2019).

1.3.7 ATM
An automated teller machine (ATM) enables banks’ customers to perform transactions, like
cash withdrawal, deposit, funds transfer, or inquiries about account information, at any time
and without the need for direct communication with bank employee. The growth of ATM in
Bangladesh is shown in Table-4.
Table-4: Number of ATM
2015 2016 2017 2018 2019 2020
ATM 7839 9019 9522 10355 10924 11923
Source: e-Banking and e-Commerce Statistics Unit, (July 2021), BB

Intermediate Level IT Manual for NCC Bank Limited Page | 9

According to BB, in December, 2020 SOCBs have only 288 ATMs, whereas PCBs have 11,635
ATMs. In fact, PCBs own more than 96% of total ATMs in Bangladesh. It is mentionable that
46.9% ATMs is set up by the DBBL alone. Card skimming and ATM frauds have been
increasingly occurring in our country. To prevent card fraud, BB advised banks to convert all
magnetic cards into EMV compliant chip card and setup anti-skimming device in all ATMs.
94.5% ATMs were EMV compliant at the end of 2020. Also, at the same time about 96.5%
ATMs were equipped with Anti-Skimming device, which is a positive sign. Major challenges
faced by banks regarding ATM banking are summarized in Box-3.
Box-3: ATM Banking Related Problems and Challenges
• Plastic cards of all banks are not EMV (Europay, MasterCard and Visa) protected. So, when a
card holder of a protected bank uses the card in an unprotected bank’s ATM, there is a scope of
fraud.
• Inter-bank transaction fee for ATMs is a barrier. This charge should be minimized.
• Need to create more awareness among customers to combat ATM and card frauds.
• Ensuring 24/7 power supply with the proper backup of UPS especially in rural and semi urban
areas.
• Unavailability of suitable ATM sites and exorbitant rent for existing and prospective sites.
• Some banks take more time to resolve dispute. After introducing NPSB, it is slightly reduced.
• All POSTs are not EMV compliant. If Chip/EMV technology is introduced both in ATM and
POST, fraud/forgery might be prevented to a great extent.
• Frequent Link down and Link up time.
• Unlike VISA/Master Card, proprietary debit card doesn't have NPSB logo on card and POS,
which creates confusion for the customer and merchant. As a result, merchants are not accepting
proprietary debit card at their POS.
• Banks should install anti-skimming and PIN shield in ATMs. The challenge banks face is to
cope up with rapidly changing technology which the skimmers use to attack ATMs.
• Proper monitoring of off-site ATM, especially those located at remote location.
• Poor service quality of existing security companies and guards. They do not perform their duties
properly.
Source: BIBM Survey

1.3.8 Cash Recycler Machines (CRM) and Cash Deposit Machine (CDM)
New types of ATMs are now revolutionizing the banking industry. These machines, called
CRMs, are designed to recycle deposited cash for use in subsequent withdrawal transactions.
The benefit of deploying a CRM is enhanced efficiency – both in terms of operations as well
as costs, consistent and reliable counting of cash. Currency-recycling technology allows cash
to be accepted, validated, sorted, stored and dispensed at a later time, cutting down the need
for daily monitoring and replenishment, while offering greater quality control and the ability
to make automatic, real-time deposits. Only 28% banks in Bangladesh installed CRMs and 780
CRMs has been installed by these banks in 2020, increasing from 254 in 2019, which shows a

Intermediate Level IT Manual for NCC Bank Limited Page | 10

huge growth. In 2020, 6231.7 crore Tk. was transacted through CRM and number of
transactions was 9649175.

Using CDM (Cash Deposit Machine), customers can deposit money in real-time and get instant
reflections of the transaction with an instant notification message. In 2020, only 47% banks in
Bangladesh installed CDMs and there were 1648 CDMs in the market which was 1407 in 2019.
One point worth mentionable that, only 30% CDMs are installed in rural areas.

1.3.9 Status of Plastic card

Currently 53 banks are offering various types of cards including debit, credit and prepaid card.
The following table shows the current status of card business in Bangladesh. It is clearly seen
that among all categories of cards Private Commercial Banks (PCBs) have highest number of
cards. Although, foreign banks dominate the credit card market of Bangladesh.
Table-5: Status of Plastic Card
Bank Type Credit Cards Debit Cards Prepaid Cards Total
SCBs 8752 509466 24068 542286
SBs 0 7362 0 7362
PCBs 1454952 18535950 386491 20377393
FCBs 136119 325013 121437 582569
Total 1599823 19377791 531996 21509610
Source: Economic Trend, (July, 2020), BB

1.3.10 Core Banking Software (CBS)

Core Banking Software plays a key role for running online banking business. Bank Ultimus
(16%), Temenos T24 (14%), Flexcube and Flora Bank (by 13% each) are widely used by the
banks in Bangladesh. I-Stelar, MiSys and Ababil are some other popular software used by our
banks (Table-6).
Table-6: List of Banking Software in the Market in 2020
S. No. CBS Types of CBS % of Banks
1 Ababil Local 5.4
2 Bank Ultimus Local 16.1
3 Electronic and Integrated banking System (eIBS) In-House 1.8
4 Electronic Basic Banking System (eBBS) In-House 1.8
5 Finacle Foreign 5.4
6 Flexcube/UBS Foreign 12.5
7 Flora Bank Local 12.5
8 HSBC Universal Banking In-House 1.8
9 Infinity Banking System (Not CBS) Local 1.8
10 Intellect Core Banking System Joint Venture 3.6
11 International Comprehensive Banking System Foreign 1.8
12 iSmart Foreign 1.8
13 iStellar Joint Venture 7.1

Intermediate Level IT Manual for NCC Bank Limited Page | 11

 14 Kastle Core Banking Solution Foreign 1.8
15 Misys Equation Foreign 5.4
16 Pubali Integrated Banking System (PIBS) In-House 1.8
17 Silverlake Foreign 1.8
18 Temenos T24 Foreign 14.3
19 Winfos Foreign 1.8
20 TCS Banking Solution Foreign 1.61
Source: BIBM Survey

1.4 Current Status of IT Based products and Services of NCC Bank Limited
National Credit and Commerce Bank Limited (NCCBL) bears a unique history of its own. The
organization started its journey in the financial sector of the country as an investment company
back in 1985. The aim of the company was to mobilize resources from within and invest them
in such way so as to develop country's Industrial and Trade Sector and playing a catalyst role
in the formation of capital market as well. Its membership with the browse helped the company
to a great extent in these regards. The company operated upto 1992 with 16 branches and
thereafter with the permission of the Central Bank converted into a full-fledged private
commercial Bank in 1993 with paid up capital of Tk. 39.00 crore to serve the nation from a
broader platform. Since its inception NCC Bank Ltd. has acquired commendable reputation by
providing sincere personalized service to its customers in a technology-based environment.
The Bank has set up a new standard in financing in the Industrial, Trade and Foreign exchange
business. Its various deposit & credit products have also attracted the clients-both corporate
and individuals who feel comfort in doing business with the Bank.

Information technology is one of the most priority areas for NCCBL. It invested more than Tk
100 crore for the development of its ICT infrastructure from its inception. In last year (2021)
the bank invested approximately Tk 13 crore for the development of its ICT. However, the
consistent investment in IT takes the bank in a different level. IT investment report of the bank
shows that it basically invests in the area of hardware, software, network, information security
and so on.

The bank has a competent and strong IT team headed by a Head of IT (HoIT). Currently, 58
employees are working restlessly to ensure an uninterrupted ICT infrastructure of the bank.
Most of the IT employees work in branch and zonal IT support. A good number of employees
continuously monitoring and updating the security system of the bank. IT employees also work
in the head office development team, IT audit, DC/DRS management, ADC system

Intermediate Level IT Manual for NCC Bank Limited Page | 12

development and ADC operation, promotion and marketing. Till December 2021, the bank has
1950 CBS terminal, 2022 PCs and 223 servers.

The bank uses number of Alternative Delivery Channels (ADCs) to facilitate customers.
Among various services Internet Banking, Cards, ATMs, POS, and CRM are remarkable. The
bank has more than eight thousand internet banking (IB) users. In last year (2021),
approximately Tk 52 crore were transected using IB facilities by the customers. The bank has
57936 debit cards and 21987 credit cards respectively till December 2021. All together card
users made a transaction volume of approximately Tk 60 crore. It is to be noted that all cards
are chip based. However, to provide 24/7 banking facilities the bank has 136 ATMs, 74 POS
terminal and 8 Cash Recycler Machines. All the ADCs are doing good in terms of number of
transactions and volume of transactions.

NCC bank uses Flora Bank, fully Web based, as its core banking software. The CBS has been
provided by Flora Systems Limited. Other than CBS, the bank uses more than 40 application
software for smooth operation. Among them Structural Liquidity, Remittance API, Corporate
Payment Portal, LC Transmission SMS to customer, Credit Card Bill Payment Solution,
Document Archiving, Transaction Monitoring, SWIFT Message Processing System, Sanction
Screening etc. are remarkable.

The bank has a strong database management system for managing data. It is also seen that the
bank has a separate MIS division which helps report preparation and decision making.
However, the bank did not introduce data mining and data analytics tools for analyzing large
data set. Data mining and data analytics may help bank analyzing large volume of data and find
various pattern for decision making.

The Data Centre of NCC bank is located in NCCBL Head Office, Motijheel whereas the
Disaster Recovery Site (DRS) is located in Gulshan-2, Dhaka. The bank has high speed
multiprotocol labeling switching network, clustered servers, virtualized server environments,
precision cooling systems, and central UPS backed by standby generators.

Note: The above information is based on the data up to December 2021

Intermediate Level IT Manual for NCC Bank Limited Page | 13

 Chapter-2
Fundamentals of Computer System

2.1 Data
Data can be defined as a representation of facts, concepts, or instructions in a formalized
manner, which should be suitable for communication, interpretation, or processing by human
or electronic machine. Data is represented with the help of characters such as alphabets (A-Z,
a-z), digits (0-9) or special characters (+,-,/,*,<,>,= etc.). When we look at a computer, we see
text and images and shapes. To a computer, all of that is just binary data, 1s and 0s. For
example, the following 1s and 0s represents a tiny GIF.
000101010101101010101010010100001110000111010010101101010
101001001010110101010101010101001010000101010010100001110
000101010101101010010101101010101010101010010100001110000
101101010101010101010010100000001010101011010100101011010
011010101010101001010000111000011101010110101001010110101
000101010101101010010101101010101010101010010100001110000
000101010101101010010101101010101010101010010100001110000
000101010101101010010101101010101010101010010100001110000

2.1.1 Data Representation in Binary Code

Code used in digital computers, based on a binary number system in which there are only two
possible states, off and on, usually symbolized by 0 and 1 and called binary digits (bits). A
binary code signal is a series of electrical pulses that represent numbers, characters, and
operations to be performed. Byte, the basic unit of information in computer storage and
processing. A byte consists of 8 adjacent binary digits (bits), each of which consists of a 0 or
1. The string of bits making up a byte is processed as a unit by a computer; bytes are the smallest
operable units of storage in computer technology. A byte can represent the equivalent of a
single character, such as the letter B (when you press ‘B’ in the keyboard computer produces
01000010), a comma, or a percentage sign, or it can represent a number from 0 to 255 (say 5
is equivalent to 0011 0101).

The ASCII (American Standard Code for Information Interchange) character set is an 8-bit
structure allows 128 different characters. That is enough for every upper-case letter, lower-case
letter, digit and punctuation mark on most keyboards. ASCII is only used for the English
language. Unicode is the new standard for representing characters of all the languages of the

Intermediate Level IT Manual for NCC Bank Limited Page | 14

World. This has been introduced to address the shortcomings of ASCII. The latest version of
Unicode contains a repertoire of more than 120,000 characters covering 129 modern and
historic scripts, as well as multiple symbol sets. UTF-16 (Unicode Transformation Format.),
uses 16 bits to represent each character. This means that it is capable of representing 65,536
different characters. UTF-32, uses 32 bits to represent each character, meaning it can represent
a character set of 4,294,967,296 possible characters, enough for all known languages.
Unicode uses between 8 and 32 bits per character, so it can represent characters from languages
from all around the world. It is commonly used across the internet. As it is larger than ASCII,
it might take up more storage space when saving documents. Global companies, like Facebook
and Google, would not use the ASCII character set because their users communicate in many
different languages.

2.2 Information
Information is organized or classified data, which has some meaningful values for the receiver.
Information is the processed data on which decisions and actions are based.
For the decision to be meaningful, the processed data must qualify for the following
characteristics −
• Timely − Information should be available when required.
• Accuracy − Information should be accurate.
• Completeness − Information should be complete.

2.3 Data Processing Cycle

Data processing is the re-structuring or re-ordering of data by people or machine to increase
their usefulness and add values for a particular purpose. Data processing consists of the
following basic steps - input, processing, and output. These three steps constitute the data
processing cycle.
Figure: Data Processing Cycle

Input Processing Output

• Input − In this step, the input data is prepared in some convenient form for processing.
The form will depend on the processing machine. For example, when you create an account
and do transactions, you give input to the computer.

Intermediate Level IT Manual for NCC Bank Limited Page | 15

• Processing − In this step, the input data is processed to produce data in a more useful form.
For example, a balance sheet can be made (calculated) from the transaction data.
• Output − At this stage, the result of the proceeding processing step is collected. The
particular form of the output data depends on the use of the data. For example, output data
may be the printed balance sheet for the current year.

2.4 Data Processing Device: Computer

Today’s world is an information-rich world and it has become a necessity for everyone to know
about computers. Computer is an advanced electronic device that takes raw data as an input
from the user and processes it under the control of a set of instructions (called program),
produces a result (output), and saves it for future use. All types of computers follow the same
basic logical structure and perform the following five basic operations for converting raw input
data into information.

Sl. No. Operation Description

The process of entering data and instructions into the
1 Take Input
computer system.
Saving data and instructions so that they are available for
2 Store Data
processing as and when required.
Performing arithmetic, and logical operations on data in order
3 Processing Data
to convert them into useful information.
The process of producing useful information or results for the
4 Output Information
user, such as a printed report or visual display.
Directs the manner and sequence in which all of the above
5 Control the workflow
operations are performed.

Intermediate Level IT Manual for NCC Bank Limited Page | 16

2.5 Computer System
2.5.1 Input Unit
This unit contains devices with the help of which we enter data into the computer. This unit
creates a link between the user and the computer. The input devices translate the information
into a form understandable by the computer. Mouse, Keyboard, microphone, scanner, etc. are
most commonly used input devices.
Figure: Computer System

2.5.2 Central Processing Unit (CPU)

CPU is considered as the brain of the computer. CPU performs all types of data processing
operations. It stores data, intermediate results, and instructions (program). It controls the
operation of all parts of the computer. CPU itself has the following three components −
• Control Unit
• Arithmetic Logic Unit (ALU)
• Memory Unit

Control Unit: This unit controls the operations of all parts of the computer but does not carry
out any actual data processing operations. Functions of this unit are −
• It is responsible for controlling the transfer of data and instructions among other units
of a computer.
• It manages and coordinates all the units of the computer.
• It obtains the instructions from the memory, interprets them, and directs the operation
of the computer.
• It communicates with Input/ Output devices for transfer of data or results from storage.
• It does not process or store data.

Intermediate Level IT Manual for NCC Bank Limited Page | 17

Arithmetic Logic Unit (ALU): This unit consists of two subsections namely,
• Arithmetic Section: Function of arithmetic section is to perform arithmetic operations
like addition, subtraction, multiplication, and division. All complex operations are done
by making repetitive use of the above operations.
• Logic Section: Function of logic section is to perform logic operations such as
comparing, selecting, matching, and merging of data.

Memory or Storage Unit: This unit can store instructions, data, and intermediate results. This
unit supplies information to other units of the computer when needed. It is also known as
internal storage unit or the main memory or the primary storage or Random Access Memory
(RAM). Its size affects speed, power, and capability. Primary memory and secondary memory
are two types of memories in the computer. Functions of the memory unit are −
• It stores all the data and the instructions required for processing.
• It stores intermediate results of processing.
• It stores the final results of processing before these results are released to an output device.
• All inputs and outputs are transmitted through the main memory.

A memory is just like a human brain. It is used to store data and instructions. Computer memory
is the storage space in the computer, where data is to be processed and instructions required for
processing are stored. The memory is divided into large number of small parts called cells.
Each location or cell has a unique address. Memory is primarily of three types −
• Cache Memory: Cache memory is a very high-speed memory which can speed up the
CPU. It acts as a buffer between the CPU and the main memory. It is used to hold those
parts of data and program which are most frequently used by the CPU. The parts of data
and programs are transferred from the disk to cache memory by the operating system,
from where the CPU can access them.
Cache Primary Secondary
Memory Memory Memory
CPU
(Hard
(RAM) Disk)

Intermediate Level IT Manual for NCC Bank Limited Page | 18

• Primary Memory (Main Memory): Primary memory holds only those data and
instructions on which the computer is currently working. It has a
limited capacity and data is lost when power is switched off.
These memories are not as fast as cache. The data and instruction
required to be processed resides in the main memory. It is divided
into two subcategories RAM and ROM.

RAM (Random Access Memory) is the internal memory of the CPU for storing data,
program, and program result. It is a read/write memory which stores data until the machine
is working. Access time in RAM is independent of the address, that is, each storage
location inside the memory is as easy to reach as other locations and takes the same amount
of time. Data in the RAM can be accessed randomly.

RAM is volatile, i.e. data stored in it is lost when we switch off the computer or if there is
a power failure. Hence, a backup Uninterruptible Power System (UPS) is often used with
computers. RAM is small, both in terms of its physical size and in the amount of data it
can hold. RAM is of two types − Static RAM (SRAM) and Dynamic RAM (DRAM)

The memory from which we can only read but cannot write on it (Now a days in special
cases some ROM are writeable). This type of memory is non-volatile. The information is
stored permanently in such memories during manufacture. A ROM stores such instructions
that are required to start a computer. This operation is referred to as bootstrap. ROM chips
are not only used in the computer but also in other electronic items like washing machine
and microwave oven.

• Secondary Memory: This type of memory is also known as external memory or non-
volatile. It is slower than the main memory. These are used for storing data/information
permanently. CPU directly does not access these memories. The contents of secondary
memories are first transferred to the main memory (RAM), and then the CPU can access
it. For example, hard disk, CD-ROM, DVD, etc.

When talking about data storage, we often measure whole system storage capacity in
terabytes, but most individual files take up megabytes or gigabytes for large files. Because
a byte contains so little information, the processing and storage capacities of computer
hardware are usually given in gigabytes (GB; one billion bytes) and terabytes (TB; one

Intermediate Level IT Manual for NCC Bank Limited Page | 19

 trillion bytes). Because the byte has its roots in binary digits, originally one kilobyte is not
1,000 bytes but 1,024 bytes (as 1,024 = 210).
1 Terabyte = 210 Gigabytes = 1024 Gigabytes
1 Gigabyte = 210 Megabytes = 1024 Megabytes
1 Megabyte = 210 Kilobytes = 1024 Kilobytes
1 Kilobyte = 210 Bytes = 1024 Bytes
So how many bytes can be stored in a 6 terabyte Hard Disk?
6 Terabyte = 6 × 1024 Gigabytes
= 6 × 1024 × 1024 Megabytes
= 6 × 1024 × 1024 × 1024 Kilobytes
= 6 × 1024 × 1024 × 1024 × 1024 Bytes
= 6597069766656 Bytes

In terms of ASCII character (8-bit structure) 6597069766656 letters, symbols like ‘A’, ‘$’
can be stored (!)
Again 6 Terabyte = 6 × 1024 × 1024 × 1024 × 1024 × 8 Bits
= 52776558133248 Bits
We can store 52776558133248 binary signals ‘0’s or ‘1’s.

2.5.3 Output Unit

The output unit consists of devices with the help of which we get the information from the
computer. This unit is a link between the computer and the users. Output devices translate the
computer's output into a form understandable by the users. Monitor, Printer, Speaker, etc. are
common output inputs.

2.6 Computer Speed

In general, speed is the overall time something takes to complete. For example, if a computer
is fast it opens program in less than a few seconds depending on the size of the program. Often
many fast computers can open smaller programs in less than a second. However, if a computer
is slow it can take several seconds or maybe even a minute or more to open a big program.
There are several factors that contribute to the overall speed of a computer. These factors
include the processor, cache, memory, bus, hard drive, video card, operating system,
and software.

Intermediate Level IT Manual for NCC Bank Limited Page | 20

The performance of your CPU - the “brain” of your PC - has a major impact on the speed at
which programs load and how smoothly they run. However, there are a few different ways to
measure processor performance. Clock speed (also “clock rate” or “frequency”) is one of the
most significant.

In general, a higher clock speed means a faster CPU. Your CPU processes many instructions
(low-level calculations like arithmetic) from different programs every second. The clock speed
measures the number of cycles your CPU executes per second, measured in GHz (gigahertz).
A “cycle” is technically a pulse synchronized by an internal oscillator, but for our purposes,
they’re a basic unit that helps understand a CPU’s speed. During each cycle, billions of
transistors within the processor open and close. A CPU with a clock speed of 3.2 GHz executes
3.2 billion cycles per second. (Older CPUs had speeds measured in megahertz, or millions of
cycles per second.)

Processor cores are individual processing units within the computer’s central processing unit
(CPU). The processor core receives instructions from a single computing task, working with
the clock speed to quickly process this information and temporarily store it in the Random
Access Memory (RAM). Permanent information is saved to your hard drive when you request
it.

Most computers now have multiple processor cores that enable your computer to complete
multiple tasks at once. Having the ability to run numerous programs and request multiple tasks
like making edits to a document, while watching a video, while opening a new program, is
made possible with multiple processor core units.

For complex video games or programs, it is essential to have a CPU that can keep up with
information like the audio and video feed being distributed rapidly. In a digital age where we’re
all expert multi-taskers, processor cores have become increasingly important to computer users.
Having multiple processor cores gives you the freedom to increase productivity at work, play
complex video games, or explore a new world with virtual reality.

Now a days, processor like Intel® Core™ i9-12900 is available in the market which has 16
cores, 30M cache and up to 5.10 GHz clock speed (5.1 billion cycle per second).

Intermediate Level IT Manual for NCC Bank Limited Page | 21

2.7 Computers Programs
The 21st-century world runs on computers. And computers run on programs. Computer
programs communicate information to computing devices. Computers then carry out tasks
based on the program instructions. Simple programs tell computers to run calculations, while
complex programs can run a bank, analyze big data, or drive a car.
Figure: A High-Level Computer Program

Programming, also known as coding, refers to the process of writing instructions for computing
devices and systems. A computer program translates those instructions into a language that
computers can understand. Computer programmers use many different languages to command
computers. Popular programming languages include R, Python, JavaScript, Java, and the C-
languages (C, C++, C#).

Computer programmers created every application that computers run - from photo editing
software to word processors and web browsers. Programming languages unlock the power of
computing systems. And without computer programming, our computing devices would not
function. Programming languages also manage the hidden side of computing. Programs pull
information from databases, implement security procedures to protect private data, and operate
memory backup systems. Computer programmers write code in languages like Java, Python,
and C++. Depending on their focus area - web development, mobile application development,
software engineering, and so on - they use different languages.

A computer program is a list of instructions that enable a computer to perform a specific task.
Computer programs can be written in high- and low-level languages, depending on the task
and the hardware being used.

Intermediate Level IT Manual for NCC Bank Limited Page | 22

2.7.1 High Level Languages
When we think about computer programmers, we are probably thinking about people who write
in high-level programming languages. High level languages are written in a form that is close
to our human language, enabling to programmer to just focus on the problem being solved. No
particular knowledge of the hardware is needed as high level languages create programs that
are portable and not tied to a particular computer or microchip. These programmer friendly
languages are called ‘high level’ as they are far removed from the machine code instructions
understood by the computer. Examples include: C++, Java, Pascal, Python, Visual Basic, etc.

2.7.2 Low Level Languages

Low level languages are used to write programs that relate to the specific architecture and
hardware of a particular type of computer. They are closer to the native language of a computer
(binary 0 and 1), making them harder for programmers to understand. Examples of low-level
language - Assembly Language and Machine Code

Assembly Language: Few programmers write programs in low level assembly language, but
it is still used for developing code for specialist hardware, such as device drivers. It is easy
distinguishable from a high-level language as it contains few recognizable human words but
plenty of mnemonic code. Assembly language is one level above machine language. It uses
short mnemonic codes for instructions and allows the programmer to introduce names for
blocks of memory that hold data. One might thus write “add 5, 2” instead of
“0110101100101000” for an instruction that adds two numbers. Assembly language is
designed to be easily translated into machine language. Like machine language, assembly
language requires detailed knowledge of a particular internal computer architecture. It is useful
when such details are important, as in programming a computer to interact with input/output
devices (printers, scanners, storage devices, and so forth).

Machine Code: Programmers rarely write in machine code (binary) as it is difficult to

understand. Machine language, the numeric codes for the operations that a
particular computer can execute directly. The codes are strings of 0s and 1s, or binary
digits (bits). Machine language instructions typically use some bits to represent operations,
such as addition, and some to represent operands, or perhaps the location of the next instruction.
Machine language is difficult to read and write, since it does not resemble conventional
mathematical notation or human language.

Intermediate Level IT Manual for NCC Bank Limited Page | 23

 Figure: Communication Hierarchy between User and Hardware

User

2.7.3 Compliers and Interpreters

Compliers and interpreters are programs that help convert the high-level language (Source
Code) into machine codes to be understood by the computers. Computer programs are usually
written on high level languages. A high-level language is one that can be understood by
humans. To make it clear, they contain words and phrases from the languages in common use
– English or other languages for example. However, computers cannot understand high level
languages as we humans do. They can only understand the programs that are developed in
binary systems known as a machine code. To start with, a computer program is usually written
in high level language described as a source code. These source codes must be converted into
machine language and here comes the role of compilers and interpreters.

2.8 Computer Hardware

Hardware represents the physical and tangible components of a computer, i.e. the components
that can be seen and touched. Examples of Hardware are the following −
• Input devices − Keyboard, Mouse, Joy Stick, Light pen, Track Ball, Scanner, Graphic
Touch Screen Tablet, Microphone, Magnetic Ink Card Reader (MICR), Optical Character
Reader (OCR), Bar Code Reader, Optical Mark Reader (OMR), etc.
• Output devices − Monitors, Graphic Plotter, Printer, Projector, Speaker, etc.
• Input-Output Device: Pen Drive, DVD, Hard Disk, Touch Screen, Router, Modem, etc.
• Secondary Storage Devices − Hard Disk, CD, DVD, Pen Drive, Magnetic Tape, etc.
• Internal Components − CPU, Motherboard, RAM, Graphics Card, Network Card, WiFi
Connector, etc.

Intermediate Level IT Manual for NCC Bank Limited Page | 24

 Figure: Computer Devices

Motherboard: The motherboard serves as a single platform to connect all of the parts of a
computer together. It connects the CPU, memory, hard drives, optical drives, video card, sound
card, and other ports and expansion cards directly or via cables. It can be considered as the
backbone of a computer.
Port: A port is a physical docking point using which an external device can be connected to
the computer. It can also be programmatic docking point through which information flows
from a program to the computer or over the Internet. USB, PS/2, LPT are common example.

A Standard Specification of a PC
Component Specification
10th or 11th Gen Intel Core i5, i7 or i9 Processor, or Apple M1 Processor
Processor
(CPU)
Operating System Microsoft Windows Pro or Enterprise version
Office Suite Microsoft Office 365 for Windows
Memory (RAM) 8-16 GB of RAM
Storage 240 GB solid state drive, or larger.
Integrated or Discrete graphics processor capable of 1440 X 900 resolution,
Video/Graphics
or better (1920 X 1080 or 1200 ideal).
Monitor 19″ – 27″ widescreen flat-panel display
Mouse Built-in or external trackpad, wireless and/or USB, 2-button, optical mouse
Sound Sound card or built-in audio, and speakers
Headphones Headphones or Earbuds, with Built-in Microphone
Webcam Either external USB device or built-in
Network 802.11ac Wi-Fi capability.
Warranty 3 years warranty.

Intermediate Level IT Manual for NCC Bank Limited Page | 25

2.9 Software
Software is a set of programs, which is designed to perform a well-defined function. A program
is a sequence of instructions written to solve a particular problem. There are three types of
software −
• System Software
• Application Software
• Utility Software
2.9.1 System Software
The system software is a collection of programs designed to operate, control, and extend the
processing capabilities of the computer itself. System software is generally prepared by the
computer manufacturers. These software products comprise of programs written in low-level
languages, which interact with the hardware at a very basic level. System software serves as
the interface between the hardware and the end users. Some examples of system software are
Operating System (Windows, Linux, Unix, etc.), Compilers, Interpreter, Assemblers, etc. The
Operating System is a program with the following features −
• An operating system is a program that acts as an interface between the software and
the computer hardware.
• It is an integrated set of specialized programs used to manage overall resources and
operations of the computer.
• It is a specialized software that controls and monitors the execution of all other
programs that reside in the computer, including application programs and other system
software.

2.9.2 Application Software

Application software products are designed to satisfy a particular need of a particular
environment. Application software may consist of a single program, such as Microsoft's
notepad for writing and editing a simple text. It may also consist of a collection of programs,
often called a software package, which work together to accomplish a task, such as a
spreadsheet package. Examples of Application software are Banking Software, Payroll
Software, Inventory Management Software, Microsoft Office Suite Software (Word, Excel,
PowerPoint, etc.), Adobe Photoshop, Internet Explorer, etc.

Intermediate Level IT Manual for NCC Bank Limited Page | 26

2.9.3 Utility Software
The Utility Software is a software that helps to maintain the proper and smooth functioning of
a Computer System. It assists the Operating System to manage, organize, maintain, and
optimize the functioning of the computer system. Utility Software performs certain tasks like
virus detection, installation, and uninstallation, data backup, deletion of unwanted files,
etc. Some examples are antivirus software, file management tools, compression tools, disk
management tools, etc.
Antivirus: A virus is a malicious software that enters the system along with a host program.
Moreover, it multiplies with time and makes several copies which in turn slows down and
corrupts the system. An antivirus is a utility software that helps to keep the computer virus-
free. Moreover, it notifies when any malicious file is detected and removes such files. In
addition, it scans any new device attached to the computer and discards any virus if
there. Moreover, it also scans the system from time to time for any threats and disposes of
them. Examples of antivirus are McAfee Antivirus, Quickheal Antivirus, Windows Defender,
etc.
File Management System: This utility software is used to manage files of the computer
system. Since files are an important part of the system as all the data is stored in the files.
Therefore, this utility software helps to browse, search, arrange, find information, and quickly
preview the files of the system. Windows Explorer is a default file management tool present in
the system. Some other examples of file management tools are Google Desktop, Double
Commander, Directory Opus, etc.
Compression Tools: An important part of a computer is storage space, it is very important to
maintain this storage. Therefore, we use certain utility software to compress big files and
decrease their size, these are compression tools. The format of the files changes while
compressing and we cannot access or edit them directly. In addition, we can easily decompress
the file and get the original file back. Examples of compression tools are WinZip, WinRAR,
WinAce, PeaZip, 7-Zip, etc.
Disk Management Tools: This utility software is used to manage data on disks. Moreover,
they perform functions like partitioning devices, manage drives, etc. Examples of disk
management tools are MiniTool Partition Wizard, Paragon Partition Manager, etc.
Disk Cleanup Tool: This utility software helps to free up the disk space. In addition, the files
which are no longer in use are removed from the disk. Examples are Razer Cortex, Piriform
CCleaner, etc.

Intermediate Level IT Manual for NCC Bank Limited Page | 27

Disk Defragmenter: This utility software helps to reduce the fragmentation and hence,
reduces the access speed. Defragmenting refers to rearranging files and storing them in
contiguous memory locations. Moreover, saves time in reading from files and writing files to
disk. Examples of disk defragmenters are Perfect disk, Deflaggler, Microsoft Disk
Defragmenter etc.
Backup Utility: This utility software helps to back up the files, folders, databases, or complete
disks. Moreover, backup refers to duplicating the disk information so that the data can be
restored if any data loss happens.

Advantages of Utility Software

The advantages are as follows:
• Enhances performance.
• Manages space.
• Manages files and data.
• Helps to customize interface and desktop.
• Helps to remove useless files.
• Keep the system safe and secure.
• Helps to recover files after a loss.

2.10 Relationship between Hardware and Software

• Hardware and software are mutually dependent on each other. Both of them must work
together to make a computer produce a useful output.
• Software cannot be utilized without supporting hardware.
• Hardware without a set of programs to operate upon cannot be utilized and is useless.
• To get a particular job done on the computer, relevant software should be loaded into the
hardware.
• Hardware is a one-time expense.
• Software development is very expensive and is a continuing expense.
• Different software applications can be loaded on a hardware to run different jobs.
• A software acts as an interface between the user and the hardware.
• If the hardware is the 'body' of a computer system, then the software is its 'soul'. Both are
complementary to each other.

Intermediate Level IT Manual for NCC Bank Limited Page | 28

2.11 Maintenance of Computer System
Computers last five to eight years when maintained properly, but that lifespan can erode
quickly if a user doesn’t take steps to protect the hardware. This is why computer maintenance
is so important. Computer maintenance means keeping your computers and laptops in good
condition through regular cleanings, hard drive updates, and virus prevention. Doing so can
lengthen the lifespan of your devices and it can also help to run your bank more safely.
Computer maintenance steps to take daily, weekly, monthly, and quarterly to keep your device
up and running.

Cleaning your computer regularly can help extend its shelf life, saving you time and money
on repairs and replacements. Remember that computers are especially prone to dust
and overheating, so these steps can help reduce risk and keep your computer running optimally.
• Dust your keyboard using compressed air: Dusting your keyboard off at least once a
week can help maintain it (and reduce health risks). Wipe down your keyboard with a damp
lint-free cloth, but be sure not to soak it in water. For harder to reach areas such as in
between the keyboard keys, use a compressed air canister.
• Wipe down your monitor: Fingerprints and other stains can appear regularly on your
monitor. In order to keep your screen view fresh and clean, wipe down your monitor once
a week using a dry lint-free cloth. Gently wipe in long motions as pressing too hard can
damage your device. Oftentimes, your computer will come with a microfiber cleaning cloth
upon purchase. Use this cloth or order a similar one for optimal cleaning.

Get Rid of Your Mouse’s Dust and Particles

• Mechanical Mouse: Like your keyboard, your mouse needs to be dusted regularly to work
properly. To do this, unplug your mouse and turn it upside down. From there, you’ll want
to remove the bottom panel and clean the ball with a lint-free cloth. You can add
rubbing alcohol to the cloth for a deeper clean. Let the ball dry before reassembling the
mouse.
• Optical Mouse: Disconnect the optical mouse from your PC. The cleaning process requires
turning the mouse over; viewing the underside of an operational optical mouse may be
injurious to the eyes. Turn over the disconnected mouse. Use a toothpick to remove dust
and particles from the mouse pads. Excessive debris buildup in these areas can make the
mouse's movements very stiff, so to keep your mouse gliding smoothly, be very thorough
when performing this step. Remove accumulated lint and debris from the front and sides of

Intermediate Level IT Manual for NCC Bank Limited Page | 29

 the mouse. Lightly dampen a cotton ball and carefully dab these areas until completely
clean. Pat dry your freshly cleaned mouse with a dry cotton ball. Once the mouse is dry,
you can reattach it to your computer.

Clean Your System Thoroughly

Every three to six months you should do a thorough cleaning of your entire hardware system.
You can do this in a number of ways, including with a computer vacuum. You’ll want to save
and close any active files before you unplug your device to begin cleaning. From there, you
can open the casing by removing the screws. Don’t vacuum the inside of the computer. Instead,
use the compressed air canister from step #1 on the inside to avoid damage. If you have a
laptop, disassembly will be different than with a traditional computer. Make sure to follow the
instructions that came with your device before you begin taking it apart.

Power Down or Reboot Your Device Regularly

While powering down your device every night isn’t a requirement with new computers,
rebooting regularly does help refresh your system resources. If you’re working off an older
computer, you should power down your device properly every night to avoid overheating. If
your device is newer, consider rebooting it once a day instead and turning it to sleep mode
when it’s not in use.

Defragment the Hard Drive

The disk is the weakest link when it comes to computer performance. This is why defragging
your hard drive once a month is so important. Defragging is the process of reorganizing the
data on your hard drive to speed up file access. It breaks up a file into smaller bits on your
device. While every computer is different, you can usually find Defragment functions under
the System and Security tab in the Control Panel.

Backup Data
At least once a week you should backup your drive. If you’re working on an important project,
you can do this daily to ensure your files are securely stored. Backing up your data
saves important files in the event of a hard drive failure or system crash.

Configure Your Startup

You should periodically check in on the applications that automatically run at start-up.
These applications can slow down your computer. From the Settings tab, you should be able to
navigate to the Startup to control which applications run.

Intermediate Level IT Manual for NCC Bank Limited Page | 30

Run Disk Cleanup
You can free up disk space on your hard drive by running a disk cleanup. This will clean
out temporary files and extra language files as well as delete big attachments and more.

Install Major Computer Updates

To keep your applications running safely and efficiently you should check for major
computer updates at least once a month. These updates can be critical for long-term health
because they patch up critical security holes and remove unnecessary features. You may also
be able to adjust your setting so updates happen automatically.

Update Antivirus Software

Whenever an antivirus software update is available, you should run it that day to remove
malware. These updates introduce new software features or make improvements on current
ones. Generally, you can set your system up for automatic updates, but if you ever receive a
notification from your current antivirus software, you should complete the update as soon
as possible.

Change Your Passwords Regularly

One of the easiest ways for hackers to gain access to your device is through a cyberattack where
they steal your login credentials. Upon gaining access to your device, they can access sensitive
information such as spam emails, banking information, and more. While experts used
to recommend changing passwords every month, this frequency was causing new risks and
inconveniences for users. Updating your password four times a year helps keep you more
secure without much hassle.

Delete Unused Programs

Get more memory space by removing unnecessary programs from your device. If you filter
your programs by size, you can see which ones take up the most memory and decide from there
what you can remove.

Clear Out Recycling Bin

When you or another user deletes a file, it goes to the Recycling Bin. This gives you one last
chance to salvage a file you’ve removed, but it can also clog up space on your hard drive if you
don’t clear it out regularly. Once a month you should check the Recycling Bin for any files that
may have accidentally been deleted and clear out the rest.

Intermediate Level IT Manual for NCC Bank Limited Page | 31

Avoid Overheating Your Device
Set up your computer in an area of your office or home that gets good airflow, with sufficient
empty space on either side. Giving your machine room to breathe helps prevent overheating,
which extends the life of your device. Stacks of paper and other items being placed on your
computer can also make it overheat, so keep your desk area organized and free of clutter.

Keep Your Cords Organized

Cable clutter can collect dust and become easily damaged. Cable stations and other
cord organizers can help organize your area. It will also save you time and stress next time you
go to unplug your computer.

Don’t Overcharge Your Device

If you’re working off a laptop, it can be tempting to charge the battery all night. While doing
so won’t damage the device, one of the best ways to maintain the battery over an extended
period of time is to unplug it once it reaches 100%. You should also remove the battery
altogether if you won’t be using the device for a month or more to help extend its shelf life.

Avoid spam while browsing

If a weird email shows up in your inbox or an unexpected popup while browsing, resist the
urge to open it. Malware scams can greatly damage your device and put your files and privacy
at risk.

Just like an automobile, your computer needs to be regularly maintained to run properly. Doing
regular computer maintenance can greatly extend the lifespan of the device and may keep you
safer while browsing online. Through completing just a few simple steps, you’ll get a faster
and healthier operating system to work on.

Note: Remember every bank has its own ICT management and security guidelines. Follow the
instructions of your bank before take any action regarding maintenance of a computer system.

Intermediate Level IT Manual for NCC Bank Limited Page | 32

Intermediate Level IT Manual for NCC Bank Limited Page | 33
2.11 Generation of Computer
Generation in computer terminology is a change in technology a computer is/was being used.
Initially, the generation term was used to distinguish between varying hardware technologies.
Nowadays, generation includes both hardware and software, which together make up an entire
computer system. There are five computer generations known till date. In the following table,
approximate dates against each generation has been mentioned, which are normally accepted.
Generations of computers at a glance:
Generations Generation and Description

First Generation The period of first generation: 1946-1959. Vacuum tube based.

Second Generation The period of second generation: 1959-1965. Transistor based.

Third Generation The period of third generation: 1965-1971. Integrated Circuit based.

Fourth Generation The period of fourth generation: 1971-1980. VLSI microprocessor based.

Fifth Generation The period of fifth generation: 1980-onwards. ULSI microprocessor based.

2.12 Classification of Computer

Computers can be broadly classified by their speed and computing power.
Sl. No. Type Specifications

PC (Personal It is a single user computer system having moderately powerful

1
Computer) microprocessor

It is also a single user computer system, similar to personal

computer however has a more powerful microprocessor. In a
2 Workstation
client-server architecture this type of computer is called
workstation.

It is a multi-user computer system, capable of supporting

3 Mini Computer
hundreds of users simultaneously.

It is a multi-user computer system, capable of supporting

4 Main Frame hundreds of users simultaneously. Software technology is
different from minicomputer.

It is an extremely fast computer, which can execute hundreds of

5 Supercomputer
millions of instructions per second.

Intermediate Level IT Manual for NCC Bank Limited Page | 34

2.12.1 Personal Computer (PC)
A PC can be defined as a small, relatively inexpensive computer designed for an individual
user. PCs are based on the microprocessor technology that enables manufacturers to put an
entire CPU on one chip. Businesses use personal computers for word processing, accounting,
desktop publishing, and for running spreadsheet and database management applications. At
home, the most popular use for personal computers is playing games and surfing the Internet.
Although personal computers are designed as single-user systems, these systems are normally
linked together to form a network. In terms of power, now-a-days high-end models of the
Macintosh and PC offer the same computing power and graphics capability as low-end
workstations by Sun Microsystems, Hewlett-Packard, and Dell.

Personal Computer Workstation

2.12.2 Workstation
Workstation is a computer used for engineering applications (CAD/CAM), desktop
publishing, software development, and other such types of applications which require a
moderate amount of computing power and relatively high-quality graphics capabilities.
Workstations generally come with a large, high-resolution graphics screen, large amount of
RAM, inbuilt network support, and a graphical user interface. Most workstations also have
mass storage device such as a disk drive, but a special type of workstation, called diskless
workstation, comes without a disk drive. Common operating systems for workstations are
UNIX and Windows NT. Like PC, workstations are also single-user computers like PC but are
typically linked together to form a local-area network, although they can also be used as stand-
alone systems.

Intermediate Level IT Manual for NCC Bank Limited Page | 35

2.12.3 Minicomputer
Computer that was smaller, less expensive, and less powerful than
a mainframe or supercomputer but more expensive and more powerful than a personal
computer. Minicomputers were used for scientific and engineering computations, business
transaction processing, file handling, and database management. Minicomputers as a distinct
class of computers emerged in the late 1950s and reached their peak in the 1960s and ’70s
before declining in popularity in the 1980s and ’90s. Their niche was filled by more powerful
personal computers, workstations, and small or midsize servers. Now a days, though used
rarely, it is a midsize multi-processing system capable of supporting up to 250 users
simultaneously.

Minicomputer Mainframe Supercomputer

2.12.4 Mainframe
Mainframe is very large in size and is an expensive computer capable of supporting hundreds
or even thousands of users simultaneously. Mainframe executes many programs concurrently
and supports many simultaneous executions of programs. Mainframe computer likes as a big
centralized machine that contains the large memory, huge storage space, multiple high-grade
processors, so it has ultra-processing power compared to standard computer systems.
So, mainframe computer system’s importance is increasing for large scale organization,
scientific research, consumer statistics, and census data, because it is capable to execute
multiple complex programs concurrently at the ultra-speed. Today, most eminent vendors of
mainframe computers are IBM, Hitachi, Amdahl, and Unisys.

2.12.5 Supercomputer
Supercomputers are one of the fastest computers currently available. Supercomputers are very
expensive and are employed for specialized applications that require immense amount of
mathematical calculations (number crunching). For example, weather forecasting, scientific

Intermediate Level IT Manual for NCC Bank Limited Page | 36

simulations, (animated) graphics, fluid dynamic calculations, nuclear energy research,
electronic design, and analysis of geological data (e.g. in petrochemical prospecting). As the
cost of supercomputing declined in the 1990s, more businesses began to use supercomputers
for market research and other business-related models.

Sample Questions
1. Describe how does a computer represents data?
2. What is the difference between data and information? Discuss data processing cycle
with example.
3. Discuss different types of memories with example?
4. What is CPU? What is the role of CPU in a computer system?
5. Write a standard specification to buy a PC to use as a banking terminal?
6. Distinguish among high, low and mid-level language with example.
7. Classify different types of software with example.
8. How will you take care of your PC so that it can last long?

Intermediate Level IT Manual for NCC Bank Limited Page | 37

 Chapter-3
Fundamentals of Data Communication and Computer Network

3.1 Introduction
Data Communication is defined as exchange of data between two devices via some form of
transmission media such as a cable, wire or it can be air or vacuum also. For occurrence of data
communication, communicating devices must be a part of communication system made up of
a combination of hardware or software devices and programs. Computer networks are essential
to modern organizations for many reasons. First, networked computer systems enable
organizations to become more flexible so that they can adapt to rapidly changing business
conditions. Second, networks allow companies to share hardware, computer applications, and
data across the organization and among different organizations. Third, networks make it
possible for geographically dispersed employees and workgroups to share documents, ideas,
and creative insights. This sharing encourages teamwork, innovation, and more efficient and
effective interactions. In addition, networks are a critical link between businesses, their
business partners, and their customers.

3.2 Data Communication System Components

There are mainly five components of a data communication systems which are Message,
Sender, Receiver, Transmission Medium, Set of rules (Protocol). Above mentioned elements
are described below:

Figure – Components of Data Communication System

Intermediate Level IT Manual for NCC Bank Limited Page | 38

Message: This is the most useful asset of a data communication system. The message simply
refers to data or piece of information which is to be communicated. A message could be in any
form, it may be in form of a text file, an audio file, a video file, etc.

Sender: To transfer message from source to destination, someone must be there who will play
role of a source. Sender plays part of a source in data communication system. It is simple a
device that sends data message. The device could be in form of a computer, mobile, telephone,
laptop, video camera, or a workstation, etc.

Receiver: It is destination where finally message sent by source has arrived. It is a device that
receives message. Same as sender, receiver can also be in form of a computer, telephone
mobile, workstation, etc.

Transmission Medium: In entire process of data communication, there must be something

which could act as a bridge between sender and receiver, Transmission medium plays that part.
It is physical path by which data or message travels from sender to receiver. Transmission
medium could be guided (with wires) or unguided (without wires), for example, twisted pair
cable, fiber optic cable, radio waves, microwaves, etc.

Set of Rules (Protocol): To govern data communications, various sets of rules had been
already designed by the designers of the communication systems, which represent a kind of
agreement between communicating devices. These are defined as protocol. In simple terms,
the protocol is a set of rules that govern data communication. If two different devices are
connected but there is no protocol among them, there would not be any kind of communication
between those two devices. Thus, the protocol is necessary for data communication to take
place.

A typical example of a data communication system is sending an e-mail. The user which send
email act as sender, message is data which user wants to send, receiver is one whom user wants
to send message, there are many protocols involved in this entire process, one of them is Simple
Mail Transfer Protocol (SMTP). The Simple Mail Transfer Protocol (SMTP) is an internet
standard communication protocol for electronic mail transmission. Both sender and receiver
must have an internet connection which uses a set of medium to send and receive email.

Intermediate Level IT Manual for NCC Bank Limited Page | 39

3.3 Data Communication Media and Transmission Speed
The term ‘Data Communication Media’ means the medium of transmitting and receiving
information. For transferring data and information, it is required for organizations to ensure the
flow of information, security, and speed of transmission.

3.3.1 Bandwidth: Transmission Speed

The total amount of digital information that can be transmitted through any
telecommunications medium is measured in bits per second (bps). One signal change, or cycle,
is required to transmit one or several bits; therefore, the transmission capacity of each type of
telecommunications medium is a function of its frequency. The number of cycles per second
that can be sent through that medium is measured in hertz - one hertz is equal to one cycle of
the medium.

The range of frequencies that can be accommodated on a particular telecommunications

channel is called its bandwidth. The bandwidth is the difference between the highest and lowest
frequencies that can be accommodated on a single channel. The greater the range of
frequencies, the greater the bandwidth and the greater the channel’s transmission capacity.

3.3.2 Transmission Media

Networks use different kinds of physical transmission media, including twisted pair wire,
coaxial cable, fiber optic cable, and media for wireless transmission. Each has advantages and
limitations. A wide range of speeds is possible for any given medium, depending on the
software and hardware configuration. The following section covers various types of
transmission media.

Twisted Pair: The most prevalent form of communications wiring - twisted-pair wire - is used
for almost all business telephone wiring. As the name suggests, it consists of strands of copper
wire twisted in pairs. Twisted-pair wire is
relatively inexpensive to purchase, widely
available, and easy to work with. However, it also
has some significant disadvantages. Specifically,
it is relatively slow for transmitting data, it is
subject to interference from other electrical
sources, and it can be easily tapped by unintended
receivers to gain unauthorized access to data.

Intermediate Level IT Manual for NCC Bank Limited Page | 40

Coaxial Cables: Coaxial cable consists of insulated
copper wire. Compared with twisted-pair wire, it is much
less susceptible to electrical interference, and it can carry
much more data. For these reasons, it is commonly used to
carry high-speed data traffic as well as television signals
(thus the term cable TV). However, coaxial cable is more
expensive and more difficult to work with than twisted-
pair wire. It is also somewhat inflexible.

Fiber Optic: Fiber-optic cable consists of thousands of very thin filaments of glass fibers that
transmit information via light pulses generated by lasers. The fiber-optic cable is surrounded
by cladding, a coating that prevents the light from leaking out of the fiber. Fiber-optic cables
are significantly smaller and lighter than traditional cable media. They also can transmit far
more data, and they provide greater security from
interference and tapping. As of early-2015, optical
fiber had reached data transmission rates of more than
50 trillion bits (terabits) per second in laboratory
experiments. Fiber-optic cable is typically used as the
backbone for a network, whereas twisted-pair wire
and coaxial cable connect the backbone to individual
devices on the network.

Microwave: Microwave works by sending and receiving high-frequency radio waves, which
may carry speech, video, and data. Microwave connections are commonly utilized for point-
to-point communications because their short wavelength permits narrow beams to be directed
directly at the receiving antenna. Unlike lower frequency radio waves, microwave devices can
utilize the same frequencies without interfering.

Microwave is a high-frequency (300 MHz–300 GHz) signal sent through the air. Terrestrial
(Earth-bound) microwaves are transmitted by line-of-sight devices, so the line of sight between
the transmitter and receiver must be unobstructed. Typically, microwave stations are placed in
a series - one station receives a signal, amplifies it, and retransmits it to the next microwave
transmission tower. Such stations can be located roughly 30 miles apart before the curvature
of the Earth makes it impossible for the towers to “see” one another. Microwave signals can
carry thousands of channels at the same time. Because they are line-of-sight transmission
Intermediate Level IT Manual for NCC Bank Limited Page | 41
devices, microwave dishes are frequently placed in relatively high locations, such as
mountains, towers, or tall buildings.

Communication Satellites: A communication satellite also operates in the microwave

frequency range. The satellite receives the signal from the Earth station, amplifies the relatively
weak signal, and then rebroadcasts it at a different frequency. The advantage of satellite
communications is that satellites can receive and broadcast over large geographic regions. Such
problems as the curvature of the Earth, mountains, and other structures that block the line- of-
sight microwave transmission make satellites an attractive alternative. Geostationary, low-
Earth orbit, and small mobile satellite stations are the most common forms of satellite
communications. A geostationary satellite orbits the Earth directly over the equator,
approximately 22,300 miles above the Earth, so that it appears stationary. A very small aperture
terminal (VSAT) is a satellite ground station with a dish antenna smaller than 3 meters in
diameter.
Figure: Satellite Communication

Intermediate Level IT Manual for NCC Bank Limited Page | 42

3.4 Network Devices
Network devices can be defined as physical devices that are necessary for the communication
and interaction between computer hardware on a computer network. Physical devices,
networking hardware, and network equipment are some other names of network devices. Each
network device has a certain job to perform in a computer network, and those roles vary
depending on the segment in which the device is located. Network devices, or network
equipment, are a variety of electrical devices used in networking. Network devices are
primarily used in a computer network to send and receive data swiftly and securely between
computers, fax machines, printers, and other devices of the same kind. Here, we'll take a look
at the basics of network devices and how they function. Some common network devices are
NIC, Hub, Router, Switch, Bridge, Gateway, and NOS. They are described in a brief below:

NIC or Network Interface Card: Network Interface Card is a hardware device that is installed
on the computer so that it can be connected to the internet. It is also called Ethernet
Card or Network Adapter. Every NIC has a 48-bit unique serial number called a MAC address
which is stored in ROM carried on the card. Every computer must have at least one NIC if it
wants to connect to the internet.

Modem: Modem stands for modulator-demodulator. It is a device that converts analog

telephone connections into digital and vice versa. Computers use digital signals and require a
modem to convert these digital signals into analog signals that can be sent over (or received
from) telephone lines, cable lines, or wireless media that use analog signals.

Hub: A hub is a networking device used to connect multiple devices directly to the network
using cables. Each connection is called a 'port.' The connections typically consist of a fiber
optic Ethernet cable. When the hub receives data at one of its ports, it distributes the data to the
other ports in the network. Typically, a hub sends all the data it receives to all the other ports.

Switch: Switches tend to be more intelligent than hubs in most cases. Switches contain many
ports to connect different network segments. They are similar to hubs, but offer greater
performance. When a network contains a large number of devices, switches are needed instead
of hubs to make sure the communications between devices do not slow down. Contrary to hubs,
switches send the data it receives only to specific ports.

Intermediate Level IT Manual for NCC Bank Limited Page | 43

Router: A router is a networking device that forwards data packets between computer
networks. Routers perform the traffic directing functions on the Internet. Data sent through the
internet, such as a web page or email, is in the form of data packets. A packet is
typically forwarded from one router to another router through the networks that constitute
an internetwork (e.g. the Internet) until it reaches its destination node. In telecommunications
networks, a node is either a redistribution point or a communication endpoint.

Bridge: Bridges are networking devices that divide up the network into different segments to
manage the amount of traffic. This prevents unnecessary traffic from entering other parts of
the network and reduces congestion. As a network becomes more complex, bridges make sure
your network speed doesn't drop dramatically.

Gateway: A computer that sits between different networks or applications. The gateway
converts information, data or other communications from one protocol or format to another. A
router may perform some of the functions of a gateway. An Internet gateway can transfer
communications between an enterprise network and the Internet. Because enterprises often use
protocols on their local-area networks (LANs) that differ from those of the Internet, a gateway
will often act as a protocol converter so that users can send and receive communications over
the Internet.

Network Operating Systems (NOS): A network operating system (NOS) is systems software
that controls the computer systems and devices on a network and allows them to communicate
with each other. The NOS performs similar functions for the network as operating system
software does for a computer, such as memory and task management and coordination of
hardware. When network equipment (such as printers, plotters, and disk drives) is required, the
NOS makes sure that these resources are used correctly. Novell NetWare, Windows 2000,
Windows 2003, and Windows 2008 are common network operating systems.

Intermediate Level IT Manual for NCC Bank Limited Page | 44

The following figure shows the use of various networking devices to establish a complete
network system.

3.5 Concepts of Client-Servers System

In client/server architecture, multiple computer platforms are dedicated to special functions,
such as database management, printing, communications, and program execution. These
platforms are called servers. Each server is accessible by all computers on the network. Servers
can be computers of all sizes; they store both application programs and data files and are
equipped with operating system software to manage the activities of the network. The server
distributes programs and data to the other computers (clients) on the network as they request
them. An application server holds the programs and data files for a particular application, such
as an inventory database.

A client is any computer (often a user’s personal computer) that sends messages requesting
services from the servers on the network. A client can converse with many servers
concurrently. For example, a user at a personal computer initiates a request to extract data that
resides in a database somewhere on the network. A data request server intercepts the request
and determines on which database server the data resides. The server then formats the user’s
request into a message that the database server will understand. When it receives the message,
the database server extracts and formats the requested data and sends the results to the client.
The database server sends only the data that satisfies a specific query - not the entire file.

Intermediate Level IT Manual for NCC Bank Limited Page | 45

 Figure: Client Server Architecture

3.6 Types of Networks

There are various types of Computer Networking options available. The classification of
network in computers can be done according to their size as well as their purpose. The size of
a network should be expressed by the geographic area and number of computers, which are a
part of their networks. It includes devices housed in a single room to millions of devices spread
across the world. Following are the popular types of Computer Network:

Personal Area Network or PAN: A personal area network (PAN) is a wireless network that
connects information technology devices close to one person. With a PAN, you can connect a
laptop, digital camera, and portable printer without cables. You can download digital image
data from the camera to the laptop and then print it on a high-quality printer—all wirelessly.
Additionally, a PAN enables data captured by sensors placed on your body to be transmitted
to your smartphone as input to applications that can serve as calorie trackers, heart monitors,
glucose monitors, and pedometers.

Local Area Network or LAN: If you work in a business that uses networking, you are
probably connecting to other employees and groups via a local area network. A local area
network (LAN) is designed to connect personal computers and other digital devices within a
half-mile or 500-meter radius. LANs typically connect a few computers in a small office, all
the computers in one building, or all the computers in several buildings in close proximity.
LANs also are used to link to long-distance wide area networks (WANs, described later in this
section) and other networks around the world, using the Internet.

Intermediate Level IT Manual for NCC Bank Limited Page | 46

Metropolitan Area Network or MAN: A metropolitan area network (MAN) is a network that
spans a metropolitan area, usually a city and its major suburbs. Its geographic scope falls
between a WAN and a LAN.

Wide Area Network or WAN: Wide area networks (WANs) span broad geographical
distances—entire regions, states, continents, or the entire globe. The most universal and
powerful WAN is the Internet. Computers connect to a WAN through public networks, such
as the telephone system or private cable systems, or through leased lines or satellites.

3.7 Internet and Web Technologies

The Internet (“the Net”) is a global WAN that connects approximately one million
organizational computer networks in more than 200 countries on all continents, including
Antarctica. As a network of networks, the Internet enables people to access data in other
organizations and to communicate, collaborate, and exchange information seamlessly around
the world, quickly and inexpensively. Thus, the Internet has become a necessity for modern
businesses. No central agency manages the Internet.

Intranet and Extranet

Today, Internet technologies are being used both within and among organizations. An Intranet
is a network that uses Internet protocols so that users can take advantage of familiar
applications and work habits. Intranets support discovery (easy and inexpensive browsing and
search), communication, and collaboration inside an organization.

In contrast, an Extranet connects parts of the intranets of different organizations. In addition,

it enables business partners to communicate securely over the Internet using virtual private
networks (VPNs) (explained in IT Security Chapter). Extranets offer limited accessibility to
the intranets of participating companies, as well as necessary interorganizational
communications. They are widely used in the areas of business-to-business (B2B) electronic
commerce and supply chain management (SCM).

Intermediate Level IT Manual for NCC Bank Limited Page | 47

World Wide Web (WWW): Many people equate the Internet with the World Wide Web.
However, they are not the same thing. The Internet functions as a transport mechanism,
whereas the World Wide Web is an application that uses those transport functions. Other
applications, such as e-mail, also run on the Internet. The World Wide Web (The Web, WWW,
or W3) is a system of universally accepted standards for storing, retrieving, formatting, and
displaying information via a client/server architecture. The Web handles all types of digital
information, including text, hypermedia, graphics, and sound. It uses graphical user interfaces
(GUIs), so it is very easy to navigate. Some common terminologies related to Internet and
WWW.

Internet Protocol (IP) Address: Addresses on the Internet. Each computer on the Internet has
an assigned address, called the Internet Protocol (IP) address, that distinguishes it from all other
computers. The IP address consists of sets of numbers, in four parts, separated by dots. For
example, the IP address of one computer might be 135.62.128.91. You can access a Web site
by typing this number in the address bar of your browser. IP addresses must be unique so that
computers on the Internet know where to find one another.

Web Browser: A web browser is a piece of software that allows you to surf the internet (World
Wide Web). It acts as a conduit between the server and the client, allowing requests for web
pages and services to be sent to the server.

Web Server: A web server is used for locating and managing stored web pages. It locates the
web pages a user requests on the computer where they are stored and delivers the web pages
to the user’s computer. Server applications usually run on dedicated computers. The most
common web server in use today is Apache HTTP Server, followed by Microsoft Internet
Information Services (IIS). Apache is an open source product that is free of charge and can be
downloaded from the web.

Web Page: A web page (or webpage) is a hypertext document provided by a website and
displayed to a user in a web browser. A website typically consists of many web
pages linked together in a coherent fashion. The name "web page" is a metaphor of paper
pages bound together into a book. A URL address may be entered into a browser's address bar
to view a web page. URL stands for Uniform Resource Locator. A URL is nothing more than
the address of a given unique resource on the Web. Text, pictures, and linkages to other
websites and files may all be found on a web page.

Intermediate Level IT Manual for NCC Bank Limited Page | 48

Web Site: A website, is a collection of web pages and associated material with a shared domain
name and published on at least one web server. The World Wide Web is made up of all publicly
accessible websites. Private websites, such as a company's internal website for its workers, may
only be viewed over a private network.

Web Development: The term "web development" refers to the process of constructing,
producing, and managing websites. It comprises features such as website design, online
publishing, web development, and database administration. Web development has two
different phases and they are frontend development and backend development.

Frontend refers to the component of a website with which a visitor may directly interact. Also
known as "the client side," it's where users interact with the program. Some languages are
required for front-end development such as CSS, HTML, JavaScript, AJAX, and so forth. The
server side of a website is known as the backend. It is a section of the website that visitors are
unable to view or interact with. It's the part of the program that doesn't interact with users
directly. It is used to organize and store data. PHP, Node.js, Python, Ruby, C#, C++ Java,
JavaScript, and so forth are some programming languages that are required for backend
development.

Now that you have a working knowledge of what networks are and how you can access them,
The Internet enables users to access or discover information located in databases all over the
world. By browsing and searching data sources on the Web, users can apply the Internet’s
discovery capability to areas ranging from education to government services to entertainment
to commerce. Although having access to all this information is a great benefit, it is critically
important to realize that there is no quality assurance for information on the Web. The Web is
truly democratic in that anyone can post information to it. Therefore, the fundamental rule
about information on the Web is “User beware!”

Sample Questions:
1. What is computer network? Briefly discuss different types of communication media used
in a bank network.
2. Make a list of networking devices used for designing whole network system of a bank.
3. Distinguish among Internet, Intranet and Extranet.
4. Briefly discuss about various components of a telecommunication systems.
5. Write short note on: WWW, Web Development, Client server system.

Intermediate Level IT Manual for NCC Bank Limited Page | 49

 Chapter-4
Electronic Banking Infrastructure

4.1 Alternative Delivery Channels in Banking Sector

Change in banking sector has not only led to increase in the needs of the people but also it has
changed shape of human life. Various alternative delivery channels in banking sector have
changed day to day operation of the bank. With introduction of computer and internet facility
in banking industry, all banks have adopted core banking solution (CBS) platform to deliver
banking service. The use of internet and smartphone changed the physical appearance of the
banking industry. Alternative Delivery Channel (ADC) means that channels which act as
intermediaries between bank and customer and leads to expand movement and execution of
banking services. These channels may be media, tools or any application through which
customer can perform their banking operations. From banks point of view these Alternative
Delivery channels will help bank to reach wild range of customer across the country. Also,
banks get higher points with lower operational and transaction cost. Digital banking and
electronic banking are the most performing area of this Alternative Delivery Channel (ADC).
With the help of these alternative delivery channels in banking sector, all the banks try to bring
the banking service to every individual with object to provide 24x7 banking and providing
banking system to unbanked.

4.1.1 Different Types of Alternative Delivery Channels

Now a day most of the customers are moving out of branch banking to other channels.
Considering the use of internet, smartphone and mobiles provides suitable options for online
purchase which encourages customer to use online banking facilities. Using these channels
customer can do his banking transaction from his home, office and any other place. All the
channels are contributing to increase productivity of banking system. The alternative delivery
channels in banking sector includes Internet Banking, Mobile Banking, E-Wallet, ATM, CRM,
CDM, POST, Call Center, KIOSK, Mobile Apps/E-Wallet, Chatbot, etc.

Automated Teller Machine (ATM): An automated teller machine (ATM) is an electronic

banking outlet that allows customers to complete basic transactions without the aid of a branch
representative or teller. Anyone with a credit card or debit card can access cash at most ATMs.
ATMs are convenient, allowing consumers to perform quick self-service transactions such as
deposits, cash withdrawals, bill payments, and transfers between accounts. Fees are commonly

Intermediate Level IT Manual for NCC Bank Limited Page | 50

charged for ATM services. Some or all of these fees can be avoided by using an ATM operated
directly by the bank that holds the account. Although the design of each ATM is different, they
all contain the same basic parts:
• Card Reader: This part reads the chip on the front of the card or the magnetic stripe
on the back of the card.
• Keypad: The keypad is used by the customer to input information, including personal
identification number (PIN), the type of transaction required, and the amount of the
transaction.
• Cash Dispenser: Bills are dispensed through a slot in the machine, which is connected
to a safe at the bottom of the machine.
• Printer: If required, consumers can request receipts that are printed here. The receipt
records the type of transaction, the amount, and the account balance.
• Screen: The ATM issues prompts that guide the consumer through the process of
executing the transaction. Information is also transmitted on the screen, such as
account information and balances.

Cash Deposit Machine: The Cash Deposit Machine (CDM) is an ATM like machine that
allows you to deposit cash directly into your account. You can use this machine to instantly
credit your account without visiting the branch. The transaction receipt also gives you your
updated account balance. Instant money credit anytime of the day throughout the week is one
of the most remarkable features of Cash Deposit Machine.

Benefits of Cash Deposit Machine

• Self-service terminal and doesn’t require any bank official.
• Instant money credit in your bank account.
• Save time by avoiding queues and skipping form filling processes.
• Receive deposit receipt immediately.
• Not necessary to segregate your denominations.

Point-of-Sale Terminal: A point-of-sale (POS) terminal is a hardware system for processing

card payments at retail locations. Software to read magnetic strips of credit and debit cards is
embedded in the hardware. Portable devices (i.e., not terminals anchored to a counter), either
proprietary or third-party, as well as contactless capabilities for emerging forms of mobile
payments, represent the next generation of POS systems.

Intermediate Level IT Manual for NCC Bank Limited Page | 51

Kiosk Banking: Kiosk are small booths with internet connections established in villages with
personnel to help the customers avail basic bank services. Most mainstream banks in all the
sectors, private, public and cooperative, open a kiosk for the people. The services provided are
usually withdrawals, deposits, remittances, etc. The kiosks act as a touchpoint for the banks
and the people. When requests are initiated in the kiosk, usually like the opening of a bank
account or request for making a deposit, they are transferred to the nearest branch which
processes it. Financial inclusion through kiosk banking is essential for ensuring financial
security of all citizens of the country, regardless of who they are and where they reside in the
country. In kiosk banking, because of the lack of bank branches, the customer cannot go to the
bank. Instead, the bank comes to the area to process transactions, allow credit, and enable
access of these services to low income groups.

Internet Banking: Nowadays, Alternative Delivery Channels (ADCs) are gaining popularity
in the banking domain. However, beyond all technologies, Internet Banking is the most
powerful real time online banking with least cost. An Internet Banking account is simple to
open and easy to operate. It's convenient, because customers can easily pay any kind of bills
without standing in a long queue and transfer funds between accounts from nearly anywhere
in the world. Also, customers do not have to keep receipts of all of their bills, as they can now
easily view transactions. It is available all the time. Account holders can perform account
related tasks from anywhere and at any time, even at night or on holidays when the bank is
closed. The only thing needs to have is an active Internet connection. It is fast and efficient.
Funds get transferred from one account to the other very fast. Users can keep an eye on their
transactions and account balance all the time. Customers no longer need to get passbooks
updated to know their total account balance. Internet Banking helps in maintaining genuine
records and aids security to the customers. Customers can get to know about any fraudulent
activity or threat to their account before it can pose any severe damage. It's a great medium for
the banks to endorse their products and services. More online services include loans and
investment options.

While Internet Banking has many positives, there are also a few cons. Understanding the usage
of Internet Banking might be difficult at the first. So, a person who is new to technology might
face some difficulties. Users cannot have access if they don’t have an Internet connection; thus,
without the availability of Internet access, it may not be useful. Security of transactions is a big
issue. Account information might get hacked by unauthorized people over the Internet. If the

Intermediate Level IT Manual for NCC Bank Limited Page | 52

bank’s server is down, then users cannot access their accounts. Due to the loss of net
connectivity or a slow connection, then it might be hard to know if the transaction went through.
A customer might get overly marketed too and become annoyed by notifications. Though, these
can easily be turned off. One might become annoyed by constant emails and updates.

There are three types of Internet Banking: informational, communicative and transactional.
Informational Internet Banking is a fundamental level of banking. It does not allow patrons to
view or maintain accounts, nor does it allow for communication between the financial
institution and customers. It simply means the bank offers basic information about its products
and services, much like a booklet. This is meant for marketing purposes only, and there is no
connection to the bank's main computer systems. Communicative Internet Banking permits for
some communication between the client and bank. However, this is typically restricted to
fundamental interactions such as account inquiries, new account updates, loan or mortgage
applications, contact information updates and balances. It may connect with the bank's main
computer systems. Transactional Internet Banking is the most popular online banking type. It
offers all of the benefits of a traditional brick-and-mortar organization. This includes full
control over customers’ accounts—deposits, withdrawals, transfers, updates and online
payments.

Mobile Financial Services (MFS): The financial sector in Bangladesh is continuously

growing in response to the evolving needs of the growing economy. Despite impressive gains
in capital base, per capita income and other areas, the financial sector remains lagging in
reaching out with adequate financial services for economic activities of low income rural and
urban population in Bangladesh. Rapid expansion of mobile phone users, modernization of
payments and financial system based on IT infrastructure, country-wide reach of mobile
operators’ network have opened up the opportunities for innovating cost efficient and prompt
Mobile Financial Services (MFS) especially for the underserved, un-banked/under-banked and
low-income group of population.

Agent Banking: Agent Banking is an alternate delivery channel of banking services through
engaged agents under a valid agency agreement, rather than a teller/ cashier. It is the owner of
an outlet who conducts banking transactions on behalf of a bank. Globally these retailers are
being increasingly utilized as important distribution channels for financial inclusion.
Bangladesh Bank has introduced agent banking in the country in 2013. The main purpose is to
provide a safe, limited scale banking and financial services to the under-privileged, under-
Intermediate Level IT Manual for NCC Bank Limited Page | 53
served population who generally live in geographically remote location that are beyond the
reach of the traditional banking networks as well as existing bank customer. Banks can deliver
a variety of banking services including savings, loans, remittances, and various payment
services (such as utility bills, taxes, government transfer benefits) to the customers through an
agent. This model is thus, gaining popularity as a cost-effective delivery channel as well as a
convenient way of providing banking services going proximate to the mass people who would
otherwise have remained unbanked due to distant location.

Banking App/E-Wallet: A banking app is a mobile app where you can access the details of
your bank account and complete transactions directly from your phone, tablet, or mobile
device. Based on the bank you're accessing, you'll be able to complete a variety of actions via
your banking app. In today’s age of smart phones, young generation is preferring e-wallet
instead of their ATM and Debit card. E-wallet has become a great option for cashless payment.
E-wallet is also known as Digital wallet and it is electronic software or online service that
allows you to transfer fund electronically to other. It also facilitates storage of entire
information of your bank account and reduces the need to enter account detail at the time of
online payment. For this, the customer has to install the e-wallet application and link it with
his own bank account, after which the customer can make any type of payment through that
wallet.

Call Center: Open lines of communication is basic requirement for institutions that handle
someone’s money. Customers need the feeling of control and financial security. So, operators
of a bank should give the customer care. Call centers serve various purposes for a bank: provide
information, conduct transactions, or submit enquiries 365 days a year, 24 hours a day, 7 days
a week. The other major reason is operating costs reduction. Bank call center should call
potential customers, conduct surveys, review products, and launch advertising campaigns. The
call center managers initiate these services, their job is to decide the way agents call to
customers. These calls are used to promote a new product or service. One more outbound calls
purpose is the customer's education. The agents need to tell the customers the importance of
accounts security, and what to do in case of fraudulent activities etc. It is not the secret that
modern banks use not only human interface, but also Interactive Voice Response (IVR). Calls
can be taken by the IVR in several languages. It provides certain banking services without
requiring them to speak to an agent. IVR helps financial sphere to automate the handling up to
85% of all inquiries.

Intermediate Level IT Manual for NCC Bank Limited Page | 54

Call Center Services Provided by Banks
• Inquires (financing programs, account balance, banking services, transactions, general
product information)
• Transfers (send and receive, issue in local or foreign currencies)
• Payments (credit card bills, other bills)
• Reporting (complaint, about lost card, cheque book request, receipt note)
• Processing (mortgage, loan applications, PIN Authentication, PIN Change)
• Informing (branch locations, currency exchange rates)
• Activation (credit and debit card, account)
• Other (sales, SMS-banking) etc.

Chatbot: At the most basic level, a chatbot is an AI (Artificial Intelligence) based computer
program that simulates and processes human conversation (either written or spoken), allowing
humans to interact with digital devices as if they were communicating with a real person. They
are also known as digital assistants that understand human capabilities. Bots interpret the user
intent, process their requests, and give prompt relevant answers. Bots can communicate
through voice as well as text and can be deployed across websites, applications, and messaging
channels such as Facebook Messenger, Twitter, or Whatsapp. Chatbots work by analyzing and
identifying the intent of the user’s request to extract relevant entities, which is the most
important task of a chatbot. Once the analysis is done appropriate response is delivered to the
user.

Intermediate Level IT Manual for NCC Bank Limited Page | 55

4.2 Data Center
A data center is a building, a dedicated space within a building, or a group of buildings used to
house computer systems and associated components, such as telecommunications and storage
systems. A data center is a facility that centralizes an organization's shared IT operations and
equipment for the purposes of storing, processing, and disseminating data and applications.
Because they house an organization's most critical and proprietary assets, data centers are vital
to the continuity of daily operations.

Data center design includes routers, switches, firewalls, storage systems, servers, and
application delivery controllers. Because these components store and manage business-critical
data and applications, data center security is critical in data center design. A data center has to
offer a secure environment that minimizes the chances of a security breach. A data center must,
therefore, keep high standards for assuring the integrity and functionality of its hosted computer
environment. Since IT operations are crucial for business continuity, it generally
includes redundant or backup components and infrastructure for power supply, data
communication connections, environmental controls (e.g., air conditioning, fire suppression),
and various security devices.

4.2.1 Primary Elements of a Data Center

The primary elements of a data center are as follows:
Facility – the usable space available for IT equipment. Providing round-the-clock access to
information makes data centers some of the world’s most energy-consuming facilities. Design
to optimize space and environmental control to keep equipment within specific
temperature/humidity ranges are both emphasized.

Intermediate Level IT Manual for NCC Bank Limited Page | 56

Core components – equipment and software for IT operations and storage of data and
applications. These may include storage systems; servers; network infrastructure, such as
switches and routers; and various information security elements, such as firewalls.
Support infrastructure – equipment contributing to securely sustaining the highest
availability possible. Some components for supporting infrastructure include:
Uninterruptible Power Sources (UPS) – battery banks, generators and redundant power
sources.
Environmental control – computer room air conditioners (CRAC); heating, ventilation
and air conditioning (HVAC) systems; and exhaust systems.
Physical security systems – biometrics and video surveillance systems.
Operations staff – personnel available to monitor operations and maintain IT and
infrastructure equipment around the clock.
Data centers have evolved significantly in recent years. As enterprise IT needs continue to
move toward on-demand services, data center infrastructure has shifted from on-premises
servers to virtualized infrastructure that supports workloads across pools of physical
infrastructure and multi-cloud environments.

4.2.2 Classification of DC
Data center tiers are a standardized ranking system that indicates the reliability of data center
infrastructure. This classification ranks facilities from 1 to 4, with 1 being the worst and 4 the
best-performing level.
A data center receives this international ranking from the Uptime Institute, an independent
organization that determines the facility level primarily based on:
• Uptime guarantees.
• Fault tolerance (the ability to handle both planned and unplanned disruptions).
• Service cost.
Tier 1 Data Center: A Tier 1 data center is a type of data center that has only one source of
servers, network links and other components. It is one of the simplest forms of data center tiers
and lacks any redundant or backup supply of data center infrastructure components and
operational services. A Tier 1 data center is also known as a Level 1 data center. A Tier 1 data
center is the basic-intermediate level of data center tiers. Introduced by the Uptime Institute, it
is used to provide neutral classification of data centers, in terms of availability. A Tier 1 data
center only has essential components or data center infrastructure and is not suited for
enterprise or mission critical data center services, as it lacks any redundant source of servers,

Intermediate Level IT Manual for NCC Bank Limited Page | 57

network/Internet links, storage, power and cooling resources. Typically, a Tier 1 data center
guarantees 99.671 percent availability and has an average of 28.8 hours of downtime per year.

Tier 2 Data Center: A Tier 2 data center is a location that has multiple sources of servers,
network links and other data center components. It is a center that has redundant components
but only one path/source or partial redundancy in data center power and cooling resources. A
Tier 2 data center is also known as a Level 2 data center. A Tier 2 data center has the same or
enhanced components and features of a Tier 1 data center, but with redundant capacity or
infrastructure components. It is the second tier of data centers introduced by the Uptime
Institute. In a Tier 2 data center, a power component or equipment can be replaced or removed
without interrupting power supply to the core computing components. It guarantees 99.741%
availability with approximately 22 hours of downtime per year. It is generally used by medium-
sized businesses.

Tier 3 Data Center: A Tier 3 data center is a location with redundant and dual-powered
servers, storage, network links and other IT components. It is one of the most commonly used
data center tiers, where IT components are powered with multiple, active and independent
sources of power and cooling resources. A Tier 3 data center is also known as a Level 3 data
center. A Tier 3 data center combines and exceeds features and capabilities of Tier 1 and Tier
2 data centers but with redundant capacity and data center infrastructure components. It is the
third level/tier of data centers introduced by the Uptime Institute. Like a Tier 2 data center, IT
components can be replaced or removed without interrupting routine data center operations.
With the redundant and always active power supply, there is minimal planned and unplanned
downtime. It guarantees 99.982 percent availability with a fractionally of less than two hours
of downtime per year.

Tier 4 Data Center: A Tier 4 data center is an enterprise class data center tier with redundant
and dual-powered instances of servers, storage, network links and power cooling equipment. It
is the most advanced type of data center tier, where redundancy is applied across the entire data
center computing and non-computing infrastructure. A Tier 4 data center is also known as a
Level 4 data center. A Tier 4 data center combines and exceeds features and capabilities of all
preceding data center layers. It provides end-to-end fault resistance by deploying and
maintaining entire data center infrastructure duplicates. It is the last level/tier of data centers
introduced by the Uptime Institute. Being an enterprise class data center, Tier 4 data center
guarantees 99.995 percent availability with just 26.3 minutes of downtime per year.
Intermediate Level IT Manual for NCC Bank Limited Page | 58
4.3 Alternative Data Center (ADC) and Disaster Recovery (DR) Site
Data centers are critical to the organization. Because mission-critical systems are used to run
the business, assist in the decision-making process, and form the basis of growth and revenue
generation, a failure in the data center could be disastrous. Therefore, most organizations have
two data centers — a primary data center (PDC) and a secondary data center (SDC), which in
some cases is also referred to as the alternative data center (ADC) or the alternative site or
disaster recovery (DR) site.

One of the key elements in any Disaster Recovery plan is the selection of a secondary site for
data storage to help prevent data loss in the event of cyber-attacks or a natural disaster. There
are three major types of disaster recovery sites that can be used: cold sites, warm sites, and hot
sites. A disaster recovery (DR) site is a facility an organization can use to recover and restore
its technology infrastructure and operations when its primary data center becomes unavailable.
The decision about what kind of DR site an organization needs and its location requires careful
planning and a balance of costs against any risks. Banks with large information requirements
and aggressive recovery time objectives are more likely to use a DR site. The DR site is
typically a second data center and allows a company to recover and resume operations
following a disaster at the primary center. The DR site options are hot, warm and cold sites:

Hot Computing Sites: At a hot site, an organization has access to a fully functional data center
with hardware and software, personnel and customer data. It is typically staffed around the
clock and is ready for organizations to operate their IT in the event of a disaster. This is the
ideal disaster recovery site but can be challenging to attain.

Intermediate Level IT Manual for NCC Bank Limited Page | 59

Warm Computing Sites: A warm site is an equipped data center but does not have customer
data. It contains some or all of the equipment found in a working data center, such as hardware
and software, network services and personnel. An organization can install additional equipment
when a disaster occurs. Warm sites are "ready to go" in one sense, but they still need to have
data transported to them for use in recovery should a disaster occur.

Cold Computing Sites: A cold disaster recovery site is the most simplistic type of disaster
recovery site. A cold site is only an option for business systems that can be down for an
extended period. An organization can use a cold site to supplement hot and warm sites in the
event of a disaster that lasts a long time. A cold site consists of elements to provide power and
networking capability as well as cooling. It does not include other hardware elements such as
servers and storage until an organization activates DR plans and installs equipment. The use of
a cold site is very limiting to a business since before it can be used, backup data along with
some additional hardware must be sent to the site and installed. This will impede workflow.

4.4 Distance between DC and DR

Distance is a prime consideration for an organization's DR site. A closer site allows for
tighter synchronization and easier staff management. But it should be on a different power grid
than the organization's primary data center and far enough away that a major disaster does not
impact both places. Sites too far away, though, can create replication issues, require different
staff and end up costing a lot. An organization needs to make location decisions based on the
importance of data, type of possible disasters (earthquake, cyclone, tornado, etc.) and cost.

4.5 Core Banking Software (CBS)

Simply put, digital core banking is banking technology that provides access to all of the
traditional core banking activities and services via digital platforms. Core banking platforms
ensure that customers have access to all of the banking services at any point, irrespective of the
time, location, and other variables that otherwise limit such a convenience. The primary
difference between traditional core banking and digital core banking is the medium through
which banking services are provided. In the traditional scenario, a customer had to visit a
physical branch of a bank for even simple banking tasks such as ordering checkbooks or check
deposits. The digitization of banks enabled by core banking transformation allows customers
to complete such tasks with just a few clicks. Customers can carry out every day financial
transactions from the comfort of their home or the office without having to visit the bank.

Intermediate Level IT Manual for NCC Bank Limited Page | 60

Core banking systems are the computer-enabled back end activities of a bank that processes
daily banking transactions and updates the accounts accordingly. Core banking systems
typically include deposits, withdrawals, check processing, cash transfers, business loan and
credit processing, business credit card and debit card management along with a host of other
important activities. Core banking system architecture offers an easy interface that integrates
ledger systems with technologically advanced reporting tools that makes the management of
everyday banking activities extremely fast and efficient. Core banking software increases the
productivity of a bank by a huge margin and contributes to the overall revenue of the bank.

4.5.1 Features of Core Banking Software

Core banking platforms offer a myriad of features and applications. These key features of core
banking software make the whole process of digital transformation absolutely worth it.
• Customer onboarding: In a traditional banking scenario, customer onboarding is one
of the most cumbersome tasks. Core banking applications make this process extremely
easy. There is no hassle of endless paperwork and multiple verifications; the entire
process is digitized and completed within a few clicks.
• Daily Transactions: Day-to-day cash transactions such as deposits, withdrawals, and
transfers can be processed digitally without any in-person contact. This makes the
mundane banking activities safe and efficient. This also includes other banking
activities such as bill payments, credit card payments, and online retail transactions.
• Loan Interest and Payments: Once a loan is approved and distributed, much of the
maintenance is a matter of calculations. Your banking software will handle the task of
calculating interest, penalties, and determining the proper monthly payments.
• Secure data management: Data migration and data management are two of the most
critical aspects of the banking sector. Core banking platforms make data management
both manageable and seamless. Consolidated information that showcases customer
data, business data, and transactional data can help the bank make important decisions.
Accurate data management can help a bank recommend the right financial products to
its customers. Business and transactional data can help banks evaluate growth strategies
and launch new products that benefit their customers.
• Virtual Banking: A mobile app has become an essential extension of a bank’s digital
presence. Mobile applications and Net Banking facilities allow customers to access
their account from anywhere. This ensures customers that they can carry out their

Intermediate Level IT Manual for NCC Bank Limited Page | 61

 banking activities without any interruptions. This also improves customer engagement
in banking.
• Advanced Security Integration: As banking activities continue to migrate online,
money mismanagement and fraudulent transactions may occur occasionally. One of the
key advantages of the core banking software is the top-notch security integration across
all the verticals of a bank. Features such as dual authentication processes and digital
identity management ensure tight security to both the banks and their customers.
• Customer Communication: If there is ever an issue with a customer's account, he or
she will want to know right away. Your banking solution should be able to reach
customers through SMS messaging or automatic emails. This communication will
make it just as easy to send a message to every customer as it is to send a single message
to an individual.

4.5.2 Common Modules in CBS

The CBS includes full support to various functions, some of which includes Customers
Information System, Corporate & Retail Banking, Investment Banking, Financing Origination
System, Agent Banking, Offshore Banking, Profit Distribution, Accounting & MIS, Payroll,
Islamic banking product, Bills and Remittance, Treasury Management, Trade finance, General
Ledger, KYC for anti-money laundering, Credit monitoring system (centralized limit),
Clearing, Drilled Down Reporting, etc.

4.6 ICT Department

The Bank’s Technology initiatives are clearly focused on the customer. Technology is being
implemented by the banks with a view to provide its customer convenience banking on 24 X 7
basis in home and abroad through deployment of a single Core Banking Solution platform
across globe with integrated delivery channels like ATM, Internet, Phone, Mobile, Kiosk, Call
Centre etc.

Banking technology deployment is not restricted to only core banking solution. It also covers
other applications like Enterprise wide General Ledger, Risk Management, Anti-Money
Laundering, Cheque Truncation, Credit Cards, Mutual Funds, On-line Trading, Data
Warehousing, Customer Relationship Management, SWIFT, RTGS, EFT, NPSB, Internet
Payment gateway, Global Treasury, Human Resources Management System, Employee Pay
Roll, Cash Management, Mobile Banking, SMS delivery, Retail Depository, Phone Banking,

Intermediate Level IT Manual for NCC Bank Limited Page | 62

Risk Management, Knowledge Management etc. which are well integrated and provide a
seamless experience to customers of all segments and lines of business. These applications also
provide critical MIS through Data warehouse for timely business decision. Internet Payment
gateway offering E-commerce services is also an added issue. With the help of CBS and various
initiatives, bank has enabled its customer with the state-of-the-art technology; duly
complemented with the human interface.

4.6.1 The Objective of the IT Department

The objective of the IT Department is to take care of the IT infrastructure and provide IT
services to the employees of the bank, supervise and support the information systems used by
the bank and implement IT development projects. The Department also maintains constant IT
system security, analyses IT security incidents, carries out IT system security checks, as well
as keeps in contact and coordinates actions with the Central Bank and the supervised financial
market participants in relation to these issues. It develops the IT infrastructure used at the bank,
looks for and procures new hardware and software, necessary IT services.

4.6.2 Divisions under IT Department

The complex nature of the services that IT provides for both the bank and its branch services
led by a Chief Information Technology Officer. Often, IT divisions can be better aligned to
facilitate separation of duties and a better focus on the most critical areas identified.
Common divisions under IT department are:
• IT Management Division
• Information Systems Development Division
• Infrastructure Management Division
• Information Systems Maintenance and Support Division

4.6.3 Functions of IT Department

• Business systems
• Shared services
• IT operations
• Enterprise architecture
• Project management
• Information security

Intermediate Level IT Manual for NCC Bank Limited Page | 63

4.7 Outsourcing of IT Jobs
Outsourcing is the process by which an organization delegates some of its in-house operations
or processes to a third party. IT outsourcing (ITO) involves an external service provider being
given responsibility for managing specific applications for a financial institution. Server
management, infrastructure solutions, network administration and software development are
the most common functions to be outsourced, and ITO is typically implemented to save banks
time and money while introducing flexibility in terms of data storage, product offerings and
speed of service.

Generally speaking, outsourcing enables organizations to improve operational performance,

vastly improve speed, reduce operational risk and increase efficiency through better
consolidating and centralizing functions. Banks that strive to keep everything in-house
typically end up developing a series of vertically integrated silos that result in extensive
duplication and redundancy across businesses and markets. Financial Institutions face many
challenges including operational risks, cyberthreats, strategic planning, compliance and audit.
Outsourcing IT capability to a third-party expert has many diverse benefits that positively
impact the bottom line.
• Control and reduce IT costs – outsourcing services are typically offered via a monthly
fee and banks benefit from economies of scale and overall lower cost infrastructure;
• Focus on the business of running the bank – banks can refocus on investing time and
energy into growth strategies rather than worrying about the latest IT development;
• Stay current with the latest technology – relinquish IT technology decisions,
investment and training to the experts in the field an expertise;
• Mitigate risk and automate – outsource infrastructure risk and automation to offer
24/7 processing and monitoring of secure bank IT environments;
• Experience increases in productivity – refocus on core competences at a lower cost,
reassured by quick response to service issues and interruptions.

More and more financial institutions are turning to IT outsourcing because they do not have
the expertise nor the economies of scale that a modern outsourcer can offer. Maintaining a
state-of-the-art IT ecosystem is a daunting task. It requires multiple layers of tools and expertise
that many banks simply cannot recruit and afford. Managed IT services provide the flexibility
and scalability that financial institutions need to grow and evolve, and ensures a bank’s assets,
systems and applications stay current and continuous.

Intermediate Level IT Manual for NCC Bank Limited Page | 64

4.7.1 The Services that a Bank Can Outsource
Here are the most common IT services that a bank can outsource:
• Front line IT support – Service/Support Desk,
• Activities such as Debit/Credit Card printing and dispatch, verifications, etc.,
• Technology Operations,
• Banking Operations,
• Cash Management and Collections,
• Technology Infrastructure Management, Maintenance and Support,
• Application Development, Maintenance and Testing,
• Transaction Processing including payments, loans, deposits,
• Customer Service helpdesk / Call Centre services,
• Marketing and Research.
• Data Analysis
• IT Audit

Sample Questions:
1. What are Alternative Delivery Channels (ADC)? What are the advantages and
disadvantages of ADCs compared to branch?
2. What are the roles of Data Center (DC), Alternative Data Center (ADC) and Disaster
Recovery Site (DRS) in banks? Which type of DC is the best and why?
3. Classify different types of Disaster Recovery Sites (DRSs) with example.
4. What is a CBS? Why do we need it in banking business?
5. What are the major roles of ICT department in a bank?
6. What is outsourcing? Why do we need to outsource some IT jobs in banks?

Intermediate Level IT Manual for NCC Bank Limited Page | 65

 Chapter-5
Data Management in Online Banks

5.1 Data and Information

Data are vital organizational resource that need to be managed like other important business
assets. Today’s banking industry cannot survive or succeed without quality data about their
internal operations and external environment. That’s why banks and their managers need to
practice data resource management, a managerial activity that applies information systems
technologies like database management, data warehousing, and other data management tools
to the task of managing an organization’s data resources to meet the information needs of their
business stakeholders. Managing data in banks is difficult for many reasons. Following are the
reasons that imply why data management is a difficult task.
• Amount of data increases exponentially with time
• Data are scattered throughout organizations, and they are collected by many individuals
using various methods and devices.
• Data are generated from multiple sources
• Data security, quality, and integrity are critical, yet they are easily jeopardized
• Companies are drowning in data, much of which is unstructured.

The following section covers the conceptual issues related to data, information, database,
DBMS, Data Warehouse, Data Mining and Data Analytics. This section also focuses on various
issues related to access control and authentication mechanisms.

Data: Data are the raw facts. Data can be number, text, image, audio, and video. However,
data are meaningless until we process them. Banks generate huge volume of data from various
transaction points. So, banks must be careful while dealing with data. It is said that those who
rule data will rule the entire world. Hence, we realize the significance of data in an organization.

Information: Information is data that have been processed, organized, and structured. It puts
data in context and helps people make decisions. We use data as input and we get information
as output.

Intermediate Level IT Manual for NCC Bank Limited Page | 66

5.2 Database
Often abbreviated DB, a database is basically a collection of information organized in such a
way that a computer program can quickly select desired pieces of data. You can think of a
database as an electronic filing system. A computer system organizes data in a hierarchy that
starts with the bit, which represents either a 0 or a 1. Bits can be grouped to form a byte to
represent one character, number, or symbol. Bytes can be grouped to form a field, and related
fields can be grouped to form a record. Related records can be collected to form a file, and
related files can be organized into a database.
Figure: The Data Hierarchy

To access information from a database, you need a database management system (DBMS). This
is a collection of programs that enables you to enter, organize, and select data in a database.
There are many different types of DBMSs, ranging from small systems that run on personal
computers to huge systems that run on mainframes. Some examples of popular database
software or DBMSs include MySQL, Microsoft Access, Microsoft SQL Server, Oracle, DB2,
PostgreSQL, etc. In generally a bank uses database for improving business processes, keeping
track of their customers, storing user’s data and maintaining and accessing data.

Intermediate Level IT Manual for NCC Bank Limited Page | 67

5.2.1 Classification of Database
For storing several varieties of data, different types of databases can be used by organizations.
However, the following section discusses only centralized and distributed database systems.

Centralized Database: Centralized database system is the database where the data is stored
centrally. Due to its centralized location the client users are able to access the stored data from
different locations through several applications. The authentication process is maintained in
the application to let users securely access their data.
Figure: Architecture of Centralized Database System

Advantages of Centralized Database

• Risk of data management is minimized.
• Since the data is maintained centrally therefore the data remains consistent.
• Data standards are maintained because it provides better quality data.
• Cost is minimized because of lower number of vendors required to maintain.
Disadvantages of Centralized Database
• When database is too large, the response times increase making response slow.
• Updating a large centralized database takes extensive knowledge.
• Since all data centralized, server failure would mean losing all data on the server.

Intermediate Level IT Manual for NCC Bank Limited Page | 68

Distributed Database: A distributed database represents multiple
interconnected databases spread out across several sites (places) connected by a network. Since
the databases are all connected, they appear as a single database to the users. Distributed
databases utilize multiple nodes. More nodes in the system provide more computing power,
offer greater availability, and resolve the single point of failure issue. Different parts of the
distributed database are stored in several physical locations, and the processing requirements
are distributed among processors on multiple database nodes.
Figure: Architecture of Distributed Database System

Advantages of Distributed Database

• Reliability
• Lower communication cost
• Better Response
Disadvantages of Distributed Database
• Costly software
• Data integrity
• Improper data distribution

Intermediate Level IT Manual for NCC Bank Limited Page | 69

5.2.2 Database Administration
A database administrator (DBA) is an information technician who is in charge of directing or
conducting all tasks connected to keeping a database system running smoothly. A database
administrator ensures that an organization's database and related applications are functioning
and efficient. The job of database administration is to manage and maintain database
management systems (DBMS) software.

The fundamental function of database administration is to guarantee that the database is always
accessible when it is required. This will usually need proactive monitoring and troubleshooting
regularly. This, in turn, necessitates considerable technical expertise on the DBA's part. The
DBA or database administrator will require expertise and maybe training in the platform
(database engine and operating system) on which the database operates, in addition to an in-
depth understanding of the database in the issue.

Responsibilities of a Database Administrator (DBA)

Each database requires at least one database administrator (DBA). A database administrator’s
responsibilities can include the following tasks:
• Installing and upgrading the database server and application tools.
• Allocating systems storage and planning future storage requirements for database
system.
• Enrolling users and maintaining system security.
• Monitoring and optimizing the performance of database.
• Controlling and monitoring user access to the database.
• Planning for backup and recovery of database information.
• Maintaining archived data on tape.
• Backup and restoring the database.

5.3 Data Access Control

Data access typically refers to software and activities related to storing, retrieving, or acting on
data housed in a database or other repository. Data Access is simply the authorization a user
has to access different data files. Data access can help distinguish the abilities of Administrators
and users. E.g. Admins may be able to remove, edit and add data, while a general user may not
be able as they don’t have the access to that particular file. Data access control is a basic
security feature that allows you to limit access based on a set of restrictions. You can help

Intermediate Level IT Manual for NCC Bank Limited Page | 70

protect personally identifiable information (PII), intellectual property, and other private
information out of the wrong hands by setting strong data access controls, whether internally
or externally.

Restricting Access
Steps to restrict database access within an organization:
• Implement Separation of Duties (SOD) a preventive control.
• Establish test and production environments which are preventive control.
• Restrict user account and Database administrator access which is a preventive control.
• Turn on audit trails, monitoring software, or exception reports which are detective
controls.

Password Policy
Passwords are an important aspect of computer security. They are the front line of protection
for user accounts. A poorly chosen password may result in a compromise of bank’s entire
systems. So, banks need to deploy a password policy for protecting the system from unexpected
incidents. A password policy is a set of rules designed to enhance computer security by
encouraging users to employ strong passwords and use them properly. A password policy is
often part of an organization's official regulations and may be taught as part of security
awareness training.

Typical components of a password policy include:

Password Length and Formation
Many policies require a minimum password length (eight characters is typical but may not be
appropriate). A more appropriate length is 15 characters. Some policies suggest or impose
requirements on what type of password a user can choose, such as:
• the use of both upper- and lower-case letters (case sensitivity), e.g. A, p, D
• inclusion of one or more numerical digits, 4, 9, 1
• inclusion of special characters, e.g. @, #, $ etc.
• prohibition of words found in a dictionary or the user's personal information, e.g. happy,
love, bank
• prohibition of passwords that match the format of calendar dates, license plate numbers,
telephone numbers, or other common numbers, e.g- your date of birth, cell number
• prohibition of use of company name or an abbreviation, e.g- nccbl

Intermediate Level IT Manual for NCC Bank Limited Page | 71

Password Duration
Some policies require users to change passwords periodically, e.g. every 90 or 180 days. The
benefit of password expiration, however, is debatable. Systems that implement such policies
sometimes prevent users from picking a password too close to a previous selection.

Common Password Practice

Do not use your User ID as your password. Do not share passwords with anyone, including
administrative assistants or secretaries. All passwords are to be treated as sensitive,
Confidential information. Password policies often include advice on proper password
management such as:
• never share a computer account
• never use the same password for more than one account
• never tell your password to anyone, including people who claim to be from customer
service or security
• never communicate a password by telephone, e-mail or instant messaging
• being careful to log off before leaving a computer unattended
• changing passwords whenever there is suspicion they may have been compromised
• operating system password and application passwords are different
• password should be alpha-numeric
• never use online password generation tools
• never share password with family members
• reveal share your password to your boss
• never write passwords down and store them anywhere in your office.
• never talk about your password in front of others

Password strength is a measure of the effectiveness of a password in resisting guessing and

brute-force attacks. A simple brute force attack uses automation and scripts to guess passwords.
Typical brute force attacks make a few hundred guesses every second. Simple passwords, such
as those lacking a mix of upper- and lowercase letters and those using common expressions
like '123456' or 'password,' can be cracked in minutes. The strength of a password is a function
of length, complexity, and unpredictability.

Intermediate Level IT Manual for NCC Bank Limited Page | 72

AAA (Authentication, Authorization, Accounting)
Data access control ensures that users are who they say they are and that they have the authority
to access the data by validating their identification. The following are the three primary
components of data access control:
Authentication: Authentication means checking the identity of the entity that is trying to
access the database. A multifactor authentication system might be used to verify the user's
identity.
Authorization: Authorization determines not just the level of access each user has to the
database, but also the activities the person may perform, depending on regulations set by the
organization.
Accounting: The resources used by a user during access are measured through accounting.
This may include the amount of system time or data delivered and/or received by a user during
a session. Accounting involves recording session statistics and use data, which is used for
authorization control, charging, trend analysis, resource consumption, and capacity planning.
Authentication, authorization, and accounting must be implemented consistently throughout
the whole environment for data access control to be successful.

Categorization of Authentication Methods

Methods for authentication can be organized into a few basic categories. They can be one of
several things directly related to the user. Basically, this is something the user knows,
something the user possesses, the way the user behaves, or a physical characteristic of the user.
The following table categorizes some of the authentication methods. Note that this is not an
exhaustive list.
User Knows User Possesses User Behaviors User’s Physical
Characteristics
Password Swipe Card Speech Fingerprint/Palm print
PIN Proximity Card Signature Hand Geometry
Identifiable Picture USB Token Keyboarding Rhythm Iris Features

Types of Authentication:
Single-factor authentication:
As the weakest level of authentication, only a single component from one of the three categories
of factors is used to authenticate an individual’s identity. The use of only one factor does not
offer much protection from misuse or malicious intrusion. This type of authentication is not
recommended for financial or personally relevant transactions.

Intermediate Level IT Manual for NCC Bank Limited Page | 73

Two-factor Authentication:
When elements representing two factors are required for authentication, the term two-factor
authentication is applied - e.g. a bankcard (something the user has) and a PIN (something the
user knows).

Multi-factor Authentication:
Instead of using two factors as used in 2FA, multiple authentication factors (more than 2
factors) are used to enhance security. This enhances the security of a transaction in comparison
to the 2FA authentication process. MFA works by requiring additional verification information
(factors). One of the most common MFA factors that users encounter is one-time passwords
(OTP). OTPs are those 4-8-digit codes that you often receive via email, SMS or some sort of
mobile app. With OTPs a new code is generated periodically or each time an authentication
request is submitted.

5.4 Data Backup and Recovery Procedures

Data Backup
Data backup is the practice of replicating data in order to recover the duplicate set in the case
of a data loss. There are a variety of data backup services available today to assist businesses
and organizations guarantee that data is safe and that essential information is not lost in the
event of a natural catastrophe, theft, or other emergency.

The popular data backup technique in the early days of personal computers (PC) was to transfer
data from a computer's hard drive onto a collection of tiny floppy disks, which were then kept
in physical containers. Since then, solid-state technology, wireless systems, and other
advancements have allowed IT administrators to back up data remotely or download large
volumes of data onto tiny portable devices. Cloud services and associated alternatives make
distant data storage simple, ensuring data security even if a whole facility or location is hacked,
while RAID (redundant array of independent disks), or mirror, technologies provide automatic
backup solutions.

Intermediate Level IT Manual for NCC Bank Limited Page | 74

Types of Data Backup
Three basic types of data backup are full, differential, and incremental.

Full Backup: A full backup is the most complete type of backup where you clone all the
selected data. This includes files, folders, hard drives and more. The highlight of a full backup
is the minimal time it requires to restore data. However, since as everything is backed up in
one go, it takes longer to backup compared to other types of backup.

Differential Backup: A differential backup straddles the line between a full and an
incremental backup. This type of backup involves backing up data that was created or changed
since the last full backup. To put it simply, a full backup is done initially, and then subsequent
backups are run to include all the changes made to the files and folders. It lets you restore data
faster than full backup since it requires only two backup components: an initial full backup and
the latest differential backup. Let’s see how a differential backup works:

Day 1 – Schedule a full backup

Day 2 – Schedule a differential backup. It will cover all the changes that took place between
Day 1 and Day 2
Day 3 – Schedule a differential backup. It will make a copy of all the data that has changed
from Day 2 (this includes the full backup on Day 1 + differential backup) and Day 3.

Incremental Backup
The first backup in an incremental backup is a full backup. The succeeding backups will only
store changes that were made to the previous backup. Businesses have more flexibility in
spinning these types of backups as often as they want, with only the most recent changes stored.
Incremental backup requires space to store only the changes (increments), which allows for
lightning-fast backups.

Intermediate Level IT Manual for NCC Bank Limited Page | 75

Data Recovery
Data recovery, in computing, is the process of recovering deleted, inaccessible, lost, corrupted,
damaged, or formatted data from secondary storage, portable media, or files when the data
contained there can't be accessed usually. Internal or external hard disk drives (HDDs), solid-
state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, and other electronic
devices are often used to recover data.

Sample Questions:
1. Distinguish between centralized and decentralized database.
2. Discuss the importance of data backup in a bank. Compare different types of backup
with example.
3. Discuss different types of authentication methods with example.
4. Write down the roles and responsibilities of a database administrator in a bank.
5. “Data management is a big challenge for banks” Why?

Intermediate Level IT Manual for NCC Bank Limited Page | 76

 Chapter-6
Cashless Payment and Fund Transfer Mechanism

6.1 Cashless Payments

Cashless society can be simply defined as an economic concept or state where all the financial
transactions take place through transfer of digital information instead of physical banknotes or
coins. In today’s time cashless payments are possible due to debit cards, credit cards, mobile
wallet apps, point of sales (POS), mobile banking, internet banking, etc.

6.1.1 Types of Cashless Payment Methods

Utilizing mobile phones to make payments instead of opting for the traditional modes of
payment has increased tremendously since demonetization. In cashless transactions, payments
are made or accepted without the use of hard cash. This includes payments made via
credit/debit cards, cheques, DD, NEFT, RTGS or any other form of online payment that
removes the need for cash. Here are a few other kinds of cashless transactions that are widely
utilized.

Plastic Cards: Banking cards like Debit and Credit cards are one of the most used cashless
payment methods across the world. Banking cards come with various benefits like secure
payments, convenience, and many more. One of the biggest advantages of banking cards is that
it can also be used for making other types of digital payments. For example, a user can store
his card information in the mobile wallets or digital payment apps to make cashless payment.
Moreover, banking cards can be also used in online purchases, POS machines, online
transactions, etc. There are many reputed names like MasterCard and Visa when it comes to
banking cards.

USSD: Unstructured Supplementary Service Data (USSD) is a cashless payment option for
those who don’t have a smartphone. The advantage of this method is that the user can make
payments without a smartphone device or internet facility. In this method, the user must dial a
code like *99# to interact with an interactive voice menu via a mobile screen. However, to use
this service, the customer must ensure that his mobile number is the same as that of the one
linked with the bank account.

Intermediate Level IT Manual for NCC Bank Limited Page | 77

Mobile Banking Applications: Most of the larger banks offer banking apps, with which
business owners can transfer funds between bank accounts instantly. They can also view their
account balance and transaction history at any time. Mobile wallet applications are quickly
gaining traction due to its fast, secure, and convenient payment methods. These are mobile
applications which allow the user to send, receive, and store money. A user can add or store
money in his wallet by simply linking his bank account. Similarly, a user can also send money
to his friends, relatives, or any other person by entering phone number, email ID, unique ID,
or scanning QR code. Moreover, a user can also make payments to merchants and pay various
utility bills like water bill, electricity bill, mobile recharge, and many more directly from the
mobile wallet app.

E-wallets: E-wallets are a popular mode of online payment, (PayTM and MobiKwik being the
most widely used providers in India). The user should register their mobile number with the
app and link their credit or debit card(s) to make payments. Users should also provide their
KYC details to make payments through the digital wallets. KYC is a verification process which
requires firms to collect information from their customers including their identification details
and biometrics. E-wallets can be used in places that debit/credit cards can’t, as not a lot of small
businesses invest in card machines.

QR Codes: QR stands for Quick Response. It’s a two-dimensional code that has a pattern of
black squares which are arranged on a square grid. QR codes are read by imaging devices such
as smartphone cameras. QR codes are widely used for making cashless payments in which a
user just has to scan the QR code of the merchant service to complete the transaction. QR code
payment is a contactless payment method where payment is performed by scanning a QR
code from a mobile app. This is an alternative to doing electronic funds transfer at point of
sale using a payment terminal. This avoids a lot of the infrastructure traditionally associated
with electronic payments such as payment cards, payment networks, payment terminal
and merchant accounts. To make a QR code payment, the consumer scans the QR code
displayed by the merchant with their smartphone to pay for their goods. They enter the amount
they have to pay and finally submit. This is a more secure card-not-present method than others.

Intermediate Level IT Manual for NCC Bank Limited Page | 78

Contactless Payments: Contactless payment is a convenient and secure method which enables
the users to purchase products by simply tapping a card near a point of sale terminal. The card
can be simply a debit, credit, or smart card which is also known as the chip card that is based
on NFC (near field communication) or RFID (Radio Frequency Identification) technology.
Contactless payments are extremely convenient as it doesn’t require any signature or PIN.
Moreover, you can also make contactless payments via NFC enabled phones that are directly
linked with mobile wallet. In this, the user has to simply keep his NFC-enabled phone near the
reader to make the payment.

POS Terminals: Traditionally, POS terminals are nothing but a handheld device present at the
stores. These devices are used to read banking cards of the customers. However, the scope of
POS is expanding as these services are now available on various mobile platforms via the
internet. Nowadays, POS can be bifurcated into different types like Physical POS, virtual POS,
Mobile POS, etc. Mobile POS is beneficial for small businesses as they don’t need to invest in
expensive electronic registers, since the Mobile POS operates through the smartphones and
tablets. Similarly, virtual POS systems use web-based applications for its operation.

6.1.2 Major Benefits of a Cashless Society

Convenience: The feasibility of making and receiving payments is the key factor for
prioritizing digital payments. Online payments rule out the necessity to carry cash, and they
also save time, as business owners and customers no longer have to queue up for ATM services.
Payment apps also help you keep track of your incoming and outgoing funds, which comes in
handy while filing returns.

Security: Digital payment modes are made secure with varying levels of encryption and data
authentication. Most payment modes have enabled two-factor authentication (2FA) to add an
extra layer of security. Also, it’s always easier and safer to carry a smartphone rather
than carrying wads of cash.

Reduced Costs and Business Risks: Cashless payments eliminate several business risks at a
time such as theft of cash by employees, counterfeit money, and robbery of cash. Moreover, it
also reduces costs of security, withdrawing cash from bank, transporting, and counting.

Intermediate Level IT Manual for NCC Bank Limited Page | 79

Transaction Speed: Making cash payments is time consuming for customers as well as the
merchant or employee. That’s the reason why many businesses have decided to go cashless so
that they can leverage faster transactions and increased efficiency. Faster transactions also lead
to enhanced customer satisfaction, increased revenue, and fewer errors.

Seamless International Payments: Whenever someone visits a foreign country, they need to
buy the foreign currency. However, with cashless payment solutions, they don’t need to do it
any longer as they can make transactions directly from their cashless payment apps in
accordance with the currency exchange rate.

An Efficient Tool to Fight Corruption: Cashless payments can become one of the greatest
means to fight corruption and organized crime throughout the world. If all the people were
connected via end-to-end payment infrastructure that makes a cashless environment, then there
would be complete transparency in the flow of money. No matter, if it’s a private investment
or international aid, everyone digitally connected in the cashless environment would be able to
view where exactly the money went and how it was spent. Any amount of money that is found
outside the framework can be easily detected and investigated. Any sum appearing outside of
that framework could immediately be flagged and investigated. This would narrow the focus
for law enforcement and forensic accountants, making it easier to target and recoup hidden
money.

6.2 Plastic Cards in Details

The word "plastic" usually refers to credit and debit cards instead of using cash (bills and
coins) or a bank check. And for a good reason - the cards are made of plastic. More precisely,
the plastic the credit cards are composed of is polyvinyl chloride acetate most commonly
known as PVCA or PVC.

Plastic card – is a personalized payment tool that provides the ability to use your card the face
of non-cash payment for goods and services, as well as withdraw cash at bank branches and
ATMs. First credit card was found in the early 50-ies of the last century. Subsequently, cards
began to improve in the 70’s first appeared a magnetic strip, which contained information on
the cardholder and the state of his account, and in the 90 years they have become chips.

Intermediate Level IT Manual for NCC Bank Limited Page | 80

Let’s consider the types of plastic cards. Bank cards are debit, credit, and prepaid.
Debit card is a plastic bank card used for payment for cash of goods and services available in
your account, and withdraw cash from ATMs. Credit card allows you to make purchases or
other transactions on credit.

Plastic cards are divided into:

• Local - limited to the borders of the country. Some local credit cards available in card
market are VISA Classic Local, VISA Gold Local, MasterCard Silver Local,
MasterCard Gold Local. Almost all credit card issuing bank usually issue this type of
credit card.
• International - used both abroad and inside the country, major international cards are
VISA, Maestro, MasterCard, etc.

6.2.1 Magnetic Stripe Card vs. Chip Card

The magnetic strip credit card has been standard for many years, but now, a new credit card
standard is taking over the market across the world that is none other than chip card which has
the significant benefit of providing enhanced security during transactions. Here, we are going
to look at the main differences between these two so that you can decide which one is better
for you.

Magnetic Stripe Card

Magnetic stripe cards are traditional credit cards that are also known as swipe cards. As its
name suggests, it contains a magnetic stripe that is generally found on the back of cards.
Figure: Magnetic Stripe Plastic Card

Intermediate Level IT Manual for NCC Bank Limited Page | 81

Until a few years ago, almost each credit card transaction was made with a magnetic stripe
reader. The sole purpose of the magnetic stripe is to store and communicate data from your
card to the transaction terminal when you make any transaction using that card. Moreover, the
magnetic stripe stores the data such as your full name, card number, card’s expiration date, and
the country code of your card’s origin. It can contain a maximum of 60 characters
magnetically.

But the main problem is that if someone can steal the card information during a magnetic stripe
transaction, then they can also use your credit card information for future transactions which is
not safe at all. This is a big problem with the magnetic stripe transaction. But thankfully, the
chip card has solved this issue.

Chip Card
The Chip Card looks and functions just like the magnetic stripe cards but it is more protective
and intricate than magnetic cards and also it excludes the way we interact with the transaction
terminal. Sometimes, they are also known as EMV chip cards, with EMV denoting the
developers of the chip i.e. Europay, Visa and Mastercard. Europay, MasterCard, and Visa were
the founding members of this standard, creating the name EMV in 1993.
Figure: Chip Plastic Card

Intermediate Level IT Manual for NCC Bank Limited Page | 82

EMV chip cards work by embedding an actual computer chip into the ID card instead of
embedding magnetic stripe. This small computer chip is placed on the top part of credit cards
in order to communicate with transaction terminals. These computer chips enable a much more
secure and intricate transaction process to take place. The transaction process goes like this:
• The card is inserted into the transaction terminal.
• The terminal contacts the computer chip that is embedded inside the card through pins.
• Chip is enabled; terminal verifies the bank from the chip placed on the top of the card.
• Computer chip also verifies the details of PIN.
• Terminal signs transaction with the public key given from chip.
• Information is sent to the issuer for official authorization.
• And then, the transaction is completed successfully.

6.2.2 How is Chip Card better from a Magnetic Stripe Card?

The key difference between magnetic stripe cards and chip cards is that chip cards are more
secured and protected. As discussed above, magnetic stripe card readers follow a simple
process. If someone has access to the stored data in that magnetic stripe then they can easily
replicate it again and again. Magnetic stripe card readers do not have that much level of
protection. However, chip cards offer a higher level of data encryption. Rather than utilizing
magnetic stripe, chip cards use an actual computer chip in order to interface with the terminal.
This makes it quite difficult or almost impossible for someone to steal card information. In
addition to this, it is much easier for card algorithms to prevent fraudulent transactions in their
tracks. Although, both magnetic stripe cards and chip cards work for processing transactions.
But in such modern times where credit card theft and fraud are becoming common with each
passing day, going for more safe and secure option definitely makes a sense.

6.3 A Case Study on Electronic Payment Mechanism

This is the story of what happens when you pay online using a card – either a debit card or
credit card. The online payment ecosystem:
• Consumer – Any individual who is making a payment online. Also called the
‘cardholder’ in the Banking & Financial Services Industry.
• Merchant – Any business that sells goods or services online and has facility or means
to process card payments online. Usually, this is a website or mobile application where
customers shop. In this case it is “Swiggy”

Intermediate Level IT Manual for NCC Bank Limited Page | 83

 • Issuing Bank – Any bank that issues a debit or credit card to their customers. Most
banks would display their name, logo and contact information on their cards.
• Acquiring Bank – Any bank that has the obligation with a merchant to process their
online card payments. In cases of successful transactions, money is deducted from a
customer’s account by the issuing bank and then subsequently transferred to an
acquiring bank.
• Card Network – Often called ‘Card brands’ or ‘Card schemes’; these are companies
that connect the issuing bank and acquiring bank to facilitate an online payment. Rupay,
Visa, MasterCard or Amex are examples of this.
• Payment Processor – Companies such as Razorpay that provide simple and effective
solutions to merchants and enable them to accept payments online. A payment
processor adds value by being a single point of contact for merchants and several third-
party banks and processing online payment transactions with better success rates.
• Payment Gateway – This is the technology that processes your online card payments.
This is usually owned by a bank, in most cases, the acquiring bank. Think of this like a
counter or window in a traditional banking setup that is exclusive for online payments.
Just like an offline banking transaction, protocols are followed here as well to verify
payment requests. Every payment gateway is connected via card networks. Every bank
has its own payment gateway and these vary in success rates to process an online
payment depending on various factors.
• 3DS Transaction – Card payment transactions are also called 3DS transaction i.e. 3
Domain Secure Transaction. The reason why it is called 3 Domain is because 3 major
players are involved in processing the payment from customers to merchants namely
the Issuing Bank, the Acquiring Bank, and the Card Network.

6.4 Cashless Payment and Settlement Systems of Bangladesh Bank

Payment and settlement systems are the means by which funds are transferred among financial
institutions, businesses, and individuals and are considered to be the critical factor for proper
functioning of country's financial system. With the mandate of Bangladesh Bank Order 1972,
Payment Systems Department (PSD) endeavors for promoting new payments, clearing and
settlement systems to ease financial transactions ensuring circulation of money in the economy
and also enforces new rules regulation to facilitate payment systems innovation in the country.
Payment Systems Department’s core objective includes establishing modern and efficient
interbank payments, clearing and settlement system. In parallel, the department looks after the
Intermediate Level IT Manual for NCC Bank Limited Page | 84
Law, regulation, licensing and oversight of the payment systems. Cashless Payment and
settlement systems of the Payment System Department of Bangladesh Bank may be divided
into following three major categories:
• Bangladesh Automated Clearing House (BACH) the first ever electronic clearing house
of Bangladesh, has two components -
✓ Bangladesh Automated Cheque Processing Systems (BACPS)
✓ Bangladesh Electronic Funds Transfer Network (BEFTN)
• National Payment Switch Bangladesh (NPSB)
• Bangladesh Real Time Gross Settlement (BD-RTGS)

Bangladesh Automated Cheque Processing Systems (BACPS)

Bangladesh Automated Cheque Processing Systems (BACPS) has started its 'Live Operation'
on 7th October 2010 in the Dhaka Clearing House area. BACPS uses the Cheque Imaging and
Truncation (CIT) technology for electronic presentment and payment of paper instruments (i.e.
cheque, pay order, dividend & refund warrants, etc). The system supports both intra-regional
and interregional clearing and is based on a centralised processing centre located in Dhaka and
in designated clearing regions. There are two types of cheque clearing under BACPS, i.e. High
Value (HV) and Regular Value (RV) Cheque clearing. Cheque amounting Tk. 5,00,000 or
above are eligible for HV clearing which has shorter clearing cycle than RV.

Objectives of BACPS
• To facilitate the clearing and settlement of paper-based payment instruments
among Scheduled Banks operating in Bangladesh;
• To reduce time and cost of domestic clearing and settlement cycle and to protect
the customer interest;
• Minimize paper handling and manual intervention at the cheque clearing process;
• Ensure timely, accurate and efficient transfer of funds among participants (i.e.
Bank customers) using paper-based instruments and
• Maintain proper risk mitigation measures and dictate storage and retrieval of
image and information of all transactions for future reference.

Intermediate Level IT Manual for NCC Bank Limited Page | 85

Bangladesh Electronic Funds Transfer Network (BEFTN)
BEFTN has started its 'Live Operation' on 28th February 2011 with the objective to decrease
paper-based payment methods and encourage electronic payment methods for secured, faster
& cost-effective transactions. The Network started with credit transactions and open for debits
from 15 September 2011. BEFTN facilitates the transmission of payments between the banks
electronically, which makes it faster and efficient means of inter-bank clearing over the existing
paper-based system i.e. BACPS. It is able to handle a wide variety of credit transfers such as
payroll, foreign and domestic remittances, social security, company dividends, retirement,
expense reimbursement, bill payments, corporate payments, government tax payments, social
security payments and person to person payments. The system could handle debit transfers
such as mortgage payments, loan payments, insurance premiums, utility bill payments,
government tax payments, government licenses and fees. EFT is gaining increasing popularity
among the corporate and govt. bodies. Salary of more than 28 ministries and govt. offices are
now paid through EFT. Listed public companies are paying their cash dividends through EFT
network.

National Payment Switch Bangladesh (NPSB)

National Payment Switch Bangladesh (NPSB) is an electronic platform, started its operation
on 27 December 2012 with a view to attain interoperability among schedule banks for card
based/online retail transactions. At present, NPSB is processing interbank Automated Teller
Machines (ATM), Point of Sales (POS), Internet Banking Fund Transfer (IBFT) transactions.
There are 53 Banks operating card business in the country. Among 53 banks 51 banks are
interoperable for ATM transactions through NPSB. That is, a cardholder of any bank from
these 51 NPSB member banks can use ATM of all other banks throughout the country.
Cardholders are getting banking services like cash withdrawal, mini statement and balance
inquiry for 24/7 from almost all ATMs in the country. As a result, Long queues at cash counter
of banks are decreasing. Moreover, banks yet to install ATM and POS can issue cards to their
clients. A cardholder has to pay 15 taka per transaction (including VAT) for Cash Withdrawal
and 5 taka (including VAT) for each Mini Statement or Balance Inquiry using other Bank's
ATM. 48 banks are presently interoperable for POS transactions through NPSB. Cardholders
from those banks can use POS of all NPSB member banks in different merchant outlets for
their retail purchases. The necessity for holding cash is reducing very fast due to large
acceptance of cards at POS of NPSB member banks. Cardholders need not to pay any extra
charges for their retail purchases using other bank's POS under NPSB.
Intermediate Level IT Manual for NCC Bank Limited Page | 86
NPSB is also processing Internet Banking Fund Transfer (IBFT) transactions of many banks.
An account/card holder of an IBFT member banks can transfer funds (account to account/card
and card to card/account) to other Banks through internet banking. The daily transaction for a
customer will be five times and a total of Tk 2,00,000 (two lac). Each transaction will be
maximum Tk. 50,000 (fifty thousand). Banks will ensure two factor authentications for internet
banking to maintain security. Banks can provide services like utility bill payment, credit card
bill payment, installments payment of loan, insurance premium payment etc. to their customers
through internet banking from home or office.

The Central Bank is ensuring continuous effort to tighten the security of NPSB adapting
International Standards and Best Practices of card-based payment. A safe, secure and efficient
retail payment system always involves active participation from all stakeholders (Banks,
customers, government). Therefore, the Central Bank is in the pledge to step forward with
altogether.

Real Time Gross Settlement (RTGS)

To facilitate safe, secured and efficient interbank payment system, Bangladesh Bank
introduced Real Time Gross Settlement (RTGS) system on 29th October 2015 as part of its
inclusive digitalization initiative. It opened a new horizon in the arena of large value time
critical payment and settlement in the country. RTGS is an electronic settlement system where
transfer of funds takes place from one account of a bank to that of another bank on a real-time
and on gross basis. Real-time refers transactions that do not need any waiting period.
Transactions are settled as soon as they are executed. System is designed to settle high value
(more than or equal to 1, 00,000 BDT) local currency transactions as well as domestic foreign
currency transactions. It is worthwhile to mention that more than 7000 online branches of 55
scheduled banks are currently connected to this system out of total 11000 bank branches of 57
banks in the country. The system is currently allowed to handle only local currency, however
domestic foreign currency transactions are expected to be launched soon.

*Data Given: Up to January, 2020

Intermediate Level IT Manual for NCC Bank Limited Page | 87

Sample Questions:
1. Which method of payment is the best for developing a purely cashless society?
2. What are the advantages of cashless payments?
3. What are the major risks of cashless payments in Bangladesh?
4. Why chip card is considered more secured than magnetic card?
5. Which method of cashless payment and settlement system of Bangladesh Bank is the
best according to your opinion?

Intermediate Level IT Manual for NCC Bank Limited Page | 88

 Chapter-7
Information Security in Electronic Banking

7.1 Fundamental of IT security and Cyber Security

A Cybercrime survey report of KPMG shows that over the last few years, cybercrimes have
become more intense, sophisticated and potentially devastating for individuals, banks and
nations. Law enforcement agencies are finding it difficult to check and prevent the crimes in
the cyber space because the perpetrators of these crimes are faceless and incur very low cost to
execute a cybercrime whereas the cost of prevention is extremely high. Targets have increased
exponentially due to the increasing reliance of people on the internet. Cybercrimes which were
restricted to computer hacking till some time ago, have diversified into data theft, ransomware,
child pornography, attacks on Critical Information Infrastructure (CII) and so on. With the
increase in cyber incidents across the globe, for instance data hack in a famous financial entity
has reinforced that the cyber risk if not managed well, can lead to significant impact. In this
case, millions of customers had their personal information compromised and the CEO of the
organization had to resign due to the backlash faced over information leakage.

Cyber Threat Landscape

Different countries face complex cyber threat landscape where cyber adversaries have
persistent intent to commit espionage, sabotage and steal corporate data.
• Hackers are 80% more likely to attack organizations in Asia.
• Asian organizations take 1.7 times longer than the global average to discover a breach.
Average dwell time is 146 days for global and 520 days in Asia.
• 70% of firms do not have strong understanding of their cyber posture. Asian firms spent
47% less on information security than North American firms.
• 78% of internet users in Asia have not received any education relating to cybersecurity.
• 74% of organizations in Asia found it difficult to recruit talent in cybersecurity.
• An anti-cybercrime operation led by INTERPOL in April 2017 has uncovered 9000
malware-infected servers and 270 compromised websites in South East Asia.
• The first cases of “WannaCry” infections were reported in Asian countries such as
India, Hong Kong and the Philippines.

Intermediate Level IT Manual for NCC Bank Limited Page | 89

Recent attacks in different countries are summarized in the following table.
Country Attacks
3.2 million debit cards from at least five banks were compromised as cyber
India
attackers introduced malware in the payment services systems.
Cyber attackers stole $ 81 million from the central bank by hacking into an
Bangladesh
official’s computer and transferring the funds to the Philippines.
Personal data of 6.4 million children were leaked in cyberattack of a digital
Hong Kong
toymaker firm.
7.9 million individual personal details were exposed when Japan’s largest travel
Japan
agency was compromised.
16 ATM thieves installed three different malware programs into ATMs to steal
Taiwan
more than $ 2 million.
68 government websites were compromised, including defacement, slowdowns
Philippines
and distributed denial-of service (DDoS)
An airline system was breached and the personal information of 400000 frequent
Vietnam
flyers was leaked online.
$ 350000 from 18 ATMs belonging to a local savings bank was stolen by individual
Thailand
with malware-equipped ATM card.
850 personals at the Ministry of Defence had their personal details stolen, in an
Singapore
attempt to access official classified information.

7.2 What is Information System Security?

Security can be defined as the degree of protection against criminal activity, danger, damage,
and/or loss. Following this broad definition, information security refers to all of the processes
and policies designed to protect an organization’s information and information systems (IS)
from unauthorized access, use, disclosure, disruption, modification, or destruction.

7.3 Core Principles of Information Security

Confidentiality, integrity, and availability are the three core principles of information security.
One or more of these principles must be implemented in every aspect of the information
security program. They are called the CIA Triad together. The ultimate goal of information
security is to maintain the CIA triad within an organization.

Confidentiality: Information is protected by confidentiality procedures to prevent

unauthorized disclosure. The confidentiality principle's goal is to keep personal information
private and available only to those who possess it or need it to execute their organizational
tasks. So, how may we ensure confidentiality? There are some key security controls that can
be used to maintain confidentiality of information. Encryption, Strong Passwords, Two-Factor
Authentication, and Physical and Logical Security Controls are some of the keys that can be
used for maintaining confidentiality.

Intermediate Level IT Manual for NCC Bank Limited Page | 90

Integrity: Protection against unwanted data modifications like additions, deletions, alterations,
and so on is included in integrity. The integrity principle assures that data is accurate and
dependable, and that it is not tampered with in any way by someone inside or outside of the
company, whether mistakenly or deliberately. To maintain integrity of information banks use
Hashes (A hash function is any function that can be used to map data of arbitrary size to fixed-
size values), User Access Controls, Secure Backups, etc. can be used.

Availability: The capacity of a system to make software systems and data completely
accessible when a user requires it is known as availability. The goal of availability is to make
technological infrastructure, applications, and data accessible when they're required for a
business process or by a company's customers.

All the functions included in information security becomes valueless if the data is not available
when required. So, it is important to ensure this principle. Banks and Financial Institutions can
use Off Site Backups, Disaster Recovery and Business Continuing Plan, and so forth to
maintain availability of data.

Though these three are the most important principles, there are two other principles that should
grab attention of the information security enthusiasts. They are:

Non-Repudiation: This ensures that users cannot deny doing a certain activity and allows you
to hold individuals responsible for their actions. It is critical that individuals may be held
responsible for their acts and that individuals be aware that they will be held accountable in
order to prevent harmful behavior. Additionally, if an employee violates corporate policy or
the law, they may be disciplined and remedial action performed. Bank can ensure this principle
using such tools like Account Logging and Monitoring, Digital Signature (discussed later in
this chapter), and so forth.

Intermediate Level IT Manual for NCC Bank Limited Page | 91

Authenticity: This security measure is designed to establish the validity of a transmission,
message, or originator, or a means of verifying an individual's authorization to receive specific
information. It involves proof or identity. Using Secure Socket Layout (SSL) discussed later in
this chapter, Public Key Infrastructure (PKI). (A public key infrastructure (PKI) is a set of
roles, policies, hardware, software and procedures needed to create, manage, distribute, use,
store and revoke digital certificates and manage public-key encryption), and other measures
like multi-factor authentications, a bank can ensure authenticity in their organization.

7.4 The Threat of Computer and Network System

With the dramatic increase in the use of the public Internet, and with e-commerce solutions
driving the business needs of many companies, both private computers and computer networks
are increasingly vulnerable to damaging attacks if they are not made properly secure. One-way
of categorizing these threats are: Internal and External threats, Structured and Unstructured
threats.

Internal threats: These originate from someone who has authorized access to the network,
either with a valid log-on account to a server or direct access to the wire. They are typically
contractors or disgruntled former (or current) employees. A review of reported security
breaches shows that between 60% and 80% of all security breaches fall within this category.

External threats: Individuals working outside the company network and who do not have
authorized access to systems or networks pose these threats. They work their way onto the
network mainly via the Internet and dial-up access servers. Because they are the most widely
reported threats, companies tend to put most money and time into defending against them.

Structured threats: Structured threats come from hackers who are highly motivated,
technically competent and who have time on their side. They know their target’s vulnerabilities
and because they understand coding they can take advantage of them.

Unstructured threats: These come mostly from inexperienced individuals using off-the-peg
hacking scripts and tools that are widely available from the Internet. Nonetheless they must not
be underestimated. Even simple scripts that perform denial of service (DoS) attacks can disable
an entire network.

Intermediate Level IT Manual for NCC Bank Limited Page | 92

Who are the Enemies to Create Threats?
Unaware Staff / Novice: Employees often overlook standard network security rules by, for
example, choosing obvious passwords that are easy to guess or crack. Password cracking
software can solve even the more complicated ones. Employees are also often responsible for
unthinkingly spreading viruses and downloading infected files from the Internet.

Disgruntled staff: Angry employees who may have been reprimanded, fired or laid-off might
vent their anger by infecting the corporate network with viruses or by intentionally deleting
important files. This group is especially dangerous because it is usually far more
knowledgeable about the network, the value of information within it, where high priority
information is stored and the safeguards in place to protect it.

Hackers: Typically, computer enthusiasts who take pleasure in gaining access to other
people’s/organization’s computers or networks. Many hackers are content with leaving behind
‘footprints’, such as joke applications or messages. Others, often referred to as ‘crackers’, are
more malicious, crashing entire computer systems, stealing or damaging confidential data,
defacing web pages and ultimately disrupting business. Some amateur hackers use the ready-
made hacking tools available on-line, doing so without much understanding of how they work
or what they do. "Ethical hacking" refers to people who try to break into systems with the sole
purpose of finding and reporting security flaws to the System owner/administrator.

7.5 Cryptography
The study of secure communications techniques that allow only the sender and intended
recipient of a message to read its contents is known as cryptography. This term comes from the
Greek word "kryptos," which means "hidden." It's closely linked to encryption, which is the
process of scrambling plain text into ciphertext and then back again when it's received.

Encrypting and decrypting email and other plain-text messages is the most prevalent usage of
cryptography when transporting electronic data. The symmetric or "secret key" approach is the
most basic method. Data is encrypted with a secret key, and the encoded message and secret
key are then delivered to the recipient for decoding. There arrives a problem. That is, a third
party has all they need to decrypt and read the message if it is intercepted.

Intermediate Level IT Manual for NCC Bank Limited Page | 93

Cryptologists invented the asymmetric or "public key" scheme to address this problem. Every
user has two keys in this case: one public and one private. Public key is something that anyone
can see this and access it whereas only the authenticated recipient has access to private key.
Senders encrypt the message and transmit it along after requesting the recipient's public key.
Only the recipient's private key can decode the message when it arrives, therefore theft is
useless without the associated private key.

Symmetric Cryptography: The use of a single shared secret key to communicate encrypted
data between parties is known as
symmetric cryptography,
sometimes known as secret key
cryptography. Symmetric ciphers
are named as such because they
employ the same key to encrypt
and decode data. To put it another
way, the sender encrypts data
using a password, which the
receiver must know in order to
access the data.

Asymmetric Cryptography: Asymmetric encryption, alternatively referred to as asymmetric

cryptography, enables users to
encrypt data with the use of shared
keys. You need to send a message
via the internet, but you don't want
anybody to see what you've typed
except the intended receiver.
Asymmetric encryption may assist
you in accomplishing this aim.

Asymmetric cryptography approaches enable the transmission of exceptionally secure data

between two parties. For instance, if you visit a website that begins with "https," you are
interacting with asymmetric encryption.

Intermediate Level IT Manual for NCC Bank Limited Page | 94

7.6 Concepts of SSL, Digital Signature and Certificate Authority
Secured Sockets Layer (SSL)
SSL, or Secure Sockets Layer, is an Internet security technology that utilizes encryption. SSL
encrypts data transported over the web to provide a high level of privacy. This implies that
anybody attempting to intercept this data will be presented with a jumbled mixture of characters
that is virtually hard to decipher. SSL begins an authentication procedure known as a handshake
between two communicating devices in order to verify that both devices are really who they
claim to be. Additionally, SSL digitally certifies data to ensure data integrity, ensuring that the
data has not been tampered with prior to reaching its intended receiver.

Digital Signature
A digital signature is a mathematical method that is used to verify the validity and integrity of
a communication, piece of software, or other digital document. It's the electronic equivalent of
a handwritten signature or stamped seal, but with far more inherent security. A digital signature
is meant to address the issue of tampering with and impersonating electronic communications.
Figure: Digital Signature

Digital signatures may serve as proof of an electronic document's origin, identity, and status.
Additionally, signers may utilize them to signify informed consent. Digital signatures are
regarded legally binding in many nations, including the United States, in the same way that
conventional handwritten document signatures are.

Certificate Authority
A certificate authority or certification authority (CA) is a kind of organization in cryptography
that provides digital certificates. A digital certificate verifies that the identified subject of the
certificate has a public key. This enables others (relying parties) to place their trust in signatures

Intermediate Level IT Manual for NCC Bank Limited Page | 95

or statements made regarding the private key associated with the certified public key. A CA
serves as a trusted third party—trusted by both the certificate's subject (owner) and the party
relying on the certificate.
Figure: Certificate Authority

Certificate authority are often used to sign certificates used in HTTPS, the World Wide Web's
secure surfing protocol. Another typical use is for national governments to provide
identification cards for the purpose of electronically signing papers.

7.7 Network Security- Firewall, VPN and IDS/IPS

Firewall: A firewall is a system that prevents a specific type of information from moving
between untrusted networks, such as the Internet, and private networks, such as your
company’s network. Put simply, firewalls prevent unauthorized Internet users from accessing
private networks. All messages entering or leaving your company’s network pass through a
firewall. The firewall examines each message and blocks those that do not meet specified
security rules.

Intermediate Level IT Manual for NCC Bank Limited Page | 96

 Figure: Firewall

Firewalls range from simple, for home use, to very complex for organizational use. Figure (a)
illustrates a basic firewall for a home computer. In this case, the firewall is implemented as
software on the home computer. Figure (b) shows an organization that has implemented an
external firewall, which faces the Internet, and an internal firewall, which faces the company
network. Corporate firewalls typically consist of software running on a computer dedicated to
the task. A demilitarized zone (DMZ) is located between the two firewalls. Messages from the
Internet must first pass through the external firewall. If they conform to the defined security
rules, they are then sent to company servers located in the DMZ. These servers typically handle
Web page requests and e-mail. Any messages designated for the company’s internal network
(e.g., its intranet) must pass through the internal firewall, again with its own defined security
rules, to gain access to the company’s private network.

The danger from viruses and worms is so severe that many organizations are placing firewalls
at strategic points inside their private networks. In this way, if a virus or worm does get through
both the external and internal firewalls, then the internal damage may be contained.

Virtual Private Network (VPN): VPN or Virtual Private Network refers to the capability of
establishing a secure network connection while using public networks. Virtual private networks
(VPNs) encrypt your internet traffic and mask your online identity. This makes it more difficult
for other parties to monitor your internet activity and steal information. Encryption occurs in

Intermediate Level IT Manual for NCC Bank Limited Page | 97

real time. A VPN acts as a filter, converting all of your data to "gibberish." Even if someone
were to get your data, it would be ineffective.
Figure: Virtual Private Network

To provide secure transmissions, VPNs use a process called tunneling. Tunneling encrypts each
data packet to be sent and places each encrypted packet inside another packet. In this manner,
the packet can travel across the Internet with confidentiality, authentication, and integrity.
Figure xx illustrates a VPN and tunneling.

IPS and IDS: Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
monitor your network continuously, recognizing potential issues and recording information
about them, resolving the events, and notifying security administrators. Additionally, some
networks use IDS/IPS to discover security policy violations and dissuade persons from
breaching security standards. IDS/IPS have become a vital component of most businesses'
security infrastructures precisely because they may thwart intruders while they collect
information about your network.

7.8 Malware
Malware, short for "malicious software," is a sort of computer program that is meant to infect
and damage a legitimate user's computer in a variety of ways. It's critical that all users
understand how to spot malware in all of its forms and how to protect themselves from it.
Malware is quickly becoming one of the most dangerous threats online, having been employed
in some of the world's worst cyber-attacks, such as the WannaCry incident in 2017, which
impacted over 200,000 people in 150 countries. When a person clicks on a link, downloads a
malicious attachment, or launches a rogue software application, malware is usually placed on
their machine. Attackers may use the virus to spy on your online activity, steal personal and

Intermediate Level IT Manual for NCC Bank Limited Page | 98

financial information, or exploit your device to infiltrate other systems after it has been
installed. There are many distinct varieties of malware, some of which are more dangerous than
others. Every day, 230,000 new malware samples are created, each with its own unique method
of infecting and harming systems. Viruses, Worms, Trojan horses, Spyware, Ransomware,
Adware, Botnet, and so more.

Preventing Malware Attacks in Banks

Installing Anti-virus Software: Installing anti-virus software is one of the most essential
strategies to guard against malware. Anti-virus software safeguards devices of bankers against
dangerous malware that might compromise the system. It will run a scan on their computers to
identify and remove malware, as well as give automatic updates to improve protection against
newly generated infections.

Updating Software Regularly: In addition to installing anti-virus software, it's critical to keep
software up to date to prevent attackers from exploiting weaknesses in older and obsolete
systems to obtain access to important information of banks.

Using Apps from Trusted Sources: Purchasing software from reputable sources minimizes
the risk of malware infection on your device. Big companies will take great effort to avoid
tarnishing their name by disseminating malware. You may verify a source's validity by looking
at the entire name, list of published applications, and contact information in the app description
on Google Play Store, Apple’s App Store, Microsoft Store, and so forth.

Installing Firewall: Using a firewall to safeguard devices from viruses is another option. A
firewall protects a private computer network from harmful assaults by prohibiting any
unauthorized access to or from it. A firewall, in addition to anti-virus software, acts as an
additional line of defense against malware, lowering the risk of an attack.

Refraining from Clicking on Suspicious Links: Phishing is still the most common method
for hackers to infect your device with malware. Phishing schemes entice victims to open emails
or click on links that look to originate from a credible company or respectable source. The link
may send you to a bogus website that asks for your personal information or to a website that
directly infects your machine with malware. If you're unsure about anything, don't click the
link.

Intermediate Level IT Manual for NCC Bank Limited Page | 99

Backing Up Data Regularly: It's critical to back up your data and files on a regular basis to
guarantee that you can still recover all of your crucial files and data if your computer becomes
infected with malware. This will assist in minimizing any harm and ensuring that you are not
a victim of ransomware. It is essential to be personally aware of malwares and using such tools
that can help financial organizations be refrained from malware attacks. The users of banking
information should know about the malwares and how they work in order to prevent malware
attacks in banks.

7.9 Social Engineering

The phrase "social engineering" refers to a variety of malevolent operations that are carried out
via human interactions. It uses psychological tricks to get people to make security mistakes or
give away private information. It manipulates users' minds to make them make security errors
or reveal important information. Social engineering is particularly harmful because it depends
on human mistakes rather than software or operating system flaws. Legitimate user errors are
less predictable, making them more difficult to detect and prevent than malware-based
intrusions.

Social engineering is an attack in which the perpetrator uses social skills to trick or manipulate
legitimate employees into providing confidential company information such as passwords. The
most common example of social engineering occurs when the attacker impersonates someone
else on the telephone, such as a company manager or an information systems employee. The
attacker claims he forgot his password and asks the legitimate employee to give him a password
to use. Other common ploys include posing as an exterminator, an air-conditioning technician,
or a fire marshal. Examples of social engineering abound.

In one company, a perpetrator entered a company building wearing a company ID card that
looked legitimate. He walked around and put up signs on bulletin boards reading “The help
desk telephone number has been changed. The new number is 555-1234.” He then exited the
building and began receiving calls from legitimate employees thinking they were calling the
company help desk. Naturally, the first thing the perpetrator asked for was username and
password. He now had the information necessary to access the company’s information systems.
Two other social engineering techniques are tailgating and shoulder surfing. Tailgating is a
technique designed to allow the perpetrator to enter restricted areas that are controlled with
locks or card entry. The perpetrator follows closely behind a legitimate employee and, when
the employee gains entry, the attacker asks him or her to “hold the door.” Shoulder surfing

Intermediate Level IT Manual for NCC Bank Limited Page | 100

occurs when a perpetrator watches an employee’s computer screen over the employee’s
shoulder. This technique is particularly successful in public areas such as in airports and on
commuter trains and airplanes.

How to Prevent Social Engineering

To carry out plans and lure victims into their traps, social engineers use human emotions such
as curiosity and fear. So, individuals should be cautious if they get any alarming emails, are
surprised by a website's offer, and staffs like that. Being vigilant may help you avoid the
majority of social engineering assaults that take place online.

Do not open emails or attachments from unknown senders - You do not need to respond to
an email if you do not know the sender. Even if you know them and are wary of their message,
double-check and validate the information from other sources, such as the phone or a service
provider's website. Remember that email addresses are often fake; even an email seeming to
come from a reputable source might have been sent by an attacker.

Use multifactor authentication - User credentials are one of the most important information
for attackers. Multifactor authentication helps secure your account in the event that the system
is hacked.

Be careful of appealing offers — If an offer seems too good to be true, think twice before
taking it. You can rapidly evaluate if you're dealing with a real offer or a trap by Googling the
subject.

Keep your antivirus/antimalware software up to date - Either turn on automatic updates or

make it a routine to update the software. Check for updates on a regular basis, and scan your
system for suspected viruses.

7.10 IT Security Measures in E-Banking

Physical (and Environmental) Security: Physical security prevents and discourages attackers
from entering a building by installing fences, alarms, cameras, security guards and dogs,
electronic access control, intrusion detection and administration access controls.
Logical Security: Logical security protects computer software by discouraging users access
by implementing user identifications, passwords, authentication, biometrics and smart cards.
➢ Logical security protects access to computer systems / Network
➢ Physical security protects the site and everything (IT/IS resources) located within the
site from physical damage.
Intermediate Level IT Manual for NCC Bank Limited Page | 101
7.11 Security Operations Centre (SOC)
A security operations centre (SOC) is a command centre for a team of information technology
(IT) specialists that monitor, analyse, and safeguard a company from cyber threats. The SOC
constantly monitors internet traffic, networks, desktops, servers, endpoint devices, databases,
apps, and other systems for symptoms of a security breach. SOC personnel may collaborate
with other teams or departments, although they are usually self-contained and staffed by
individuals with advanced IT and cybersecurity capabilities, or they are outsourced to third-
party service providers. Most SOCs are operated 24 hours a day, seven days a week, with
workers working in shifts to log activity and manage threats.

Activities of a SOC Team

A security operations centre's overall approach relies on threat management, which involves
gathering data and evaluating it for suspicious activities. SOC teams gather security-relevant
data from firewalls, threat intelligence, intrusion prevention and detection systems (IPS/IDS),
and SIEM systems. Security Information and Event Management (SIEM) is a set of tools and
services offering a holistic view of an organization's information security. A SOC team's
fundamental duties are as follows:

Prevention and Detection: Prevention is usually more effective than response when it comes
to cybersecurity. Rather of reacting to threats as they occur, a SOC monitors the network 24
hours a day, 7 days a week. As a result, the SOC team can identify malicious activity and stop
it before it does any harm. When a SOC analyst notices anything suspicious, they collect as
much information as possible in order to conduct a more thorough investigation.

Investigation: The SOC analyst examines suspicious behavior throughout the investigation
stage to establish the nature of the threat and the degree to which it has entered the
infrastructure. The security analyst examines the network and activities of the company from
the viewpoint of an attacker, searching for important signs and areas of vulnerability before
they are exploited. By knowing how assaults occur and how to successfully react before they
get out of hand, the analyst is able to identify and triage different sorts of security events. To
execute a successful triage, the SOC analyst integrates information about the organization's
network with the most recent global threat data, which includes details on attacker tools,
strategies, and trends.

Intermediate Level IT Manual for NCC Bank Limited Page | 102

Response: Following the investigation, the SOC team organizes a response to address the
problem. The SOC responds as a first responder as soon as an incident is verified, isolating
endpoints, killing malicious programs, blocking them from running, deleting data, and more.
Following an event, the SOC tries to restore systems and retrieve any data that has been lost or
compromised. Wiping and restarting endpoints, restructuring systems, in the event of
ransomware attacks, establishing valid backups are all possible ways to avoid the malware.
This step, if completed successfully, will restore the network to its pre-incident condition.

Tips to Ensure IT Security

IT Security is a contentious process. Practically there is nothing which can ensure 100 percent
security of an organization’s overall systems. However, you can follow the following top ten
tips for ensuring your personal as well as organizational security. Top Ten Tips for ensuring
IT Security Measurement:
• Never write down or share your passwords
• Don’t click on suspicious links or open attachments in email
• Use antivirus, anti-spyware, and firewall and don’t disable
• Don’t send sensitive data over unencrypted channels
• Dispose of data properly
• Don’t run programs from un-trusted sources
• Lock your machine if you step away
• Properly secure information
• Verify correct person, website, etc.
• If something seems too good to be true, it probably is.

Sample Questions:
1. What is cryptography? How Asymmetric Cryptography is different from Symmetric
Cryptography?
2. What is social engineering? How can you protect yourself from the social engineering
attack?
3. Briefly discuss about the physical and logical security measures in an e-bank.
4. Write short note on: Certificate Authority, SOC, VPN.

Intermediate Level IT Manual for NCC Bank Limited Page | 103

 Chapter-8
IT Risk Management and Legal Issues

8.1 ICT Risk in Banks

ICT risk is a component of the overall risk universe of an enterprise. Other risks Bank or NBFI
faces include strategic risk, environmental risk, market risk, credit risk, operational risk,
compliance risk, etc. In many enterprises, ICT related risk is considered to be a component of
operational risk. However, even strategic risk can have an ICT component itself, especially
where ICT is the key enabler of new business initiatives. The same applies for credit risk, where
poor ICT security can lead to lower credit ratings. It is better not to depict ICT risk with a
hierarchic dependency on one of the other risk categories. ICT risk is business risk -
specifically, the business risk associated with the use, ownership, operation, involvement,
influence and adoption of ICT within a Bank or NBFI. It consists of ICT related events and
conditions that could potentially impact the business. It can occur with both uncertain
frequency and magnitude and it creates challenges in meeting strategic goals and objectives.
In today’s world, data and protecting that data are critical considerations for businesses.
Customers want to ensure that their information is secure with you, and if you can’t keep it
safe, you will lose their business.

In order to have a strong handle on data security issues that may potentially impact your
business, it is imperative to understand the relationships of three components: Threat,
Vulnerability and Risk. The word “threat” is often confused with (or used interchangeably
with) the words “risk” and “vulnerability.” But it is important to differentiate among threat,
vulnerability, and risk. Though these technical terms are used interchangeably, they are distinct
terms with different meanings and implications.

Intermediate Level IT Manual for NCC Bank Limited Page | 104

8.1.1 Threat
A threat refers to a new or newly discovered incident that has the potential to harm a system or
your company overall. A threat exploits a vulnerability and can damage or destroy an
asset. There are three main types of threats:

Natural Threats: Natural disasters (threats) such as fire, cyclone and floods also present risks
to IT systems, data and infrastructure. Damage to buildings and computer hardware can result
in loss or corruption of customer records/transactions.

Unintentional Threats: Unintentional threats to IT systems and data include:

• hardware and software failure - such as power loss or data corruption
• human error - incorrect data processing, careless data disposal, or accidental opening
of infected email attachments.

Intentional Threats: Intentional Threats or specific/targeted criminal threats to IT systems

and data include:
• malware - malicious software designed to disrupt computer operation
• viruses - computer code that can copy itself and spread from one computer to another,
often disrupting computer operations
• spam, scams and phishing - unsolicited email that seeks to fool people into revealing
personal details or buying fraudulent goods
• hacking - people who illegally break into computer systems
• fraud - using a computer to alter data for illegal benefit
• passwords theft - often a target for malicious hackers
• denial-of-service - online attacks that prevent website access for authorized users
• security breaches - includes physical break-ins as well as online intrusion
• staff dishonesty - theft of data or sensitive information, such as customer details.

8.1.2 Vulnerability
A vulnerability refers to a known weakness of an asset (hardware, software, network, data,
etc.) that can be exploited by one or more attackers. In other words, it is a known issue that
allows an attack to succeed. For example, when a team member resigns and you forget to
disable their access to external accounts, change logins, or remove their names from company
credit cards, this leaves your business open to both intentional and unintentional threats.
However, most vulnerabilities are exploited by automated attackers and not a human typing on

Intermediate Level IT Manual for NCC Bank Limited Page | 105

the other side of the network. Testing for vulnerabilities is critical to ensuring the continued
security of your systems. By identifying weak points, you can develop a strategy for quick
response. Here are some questions to ask when determining your security vulnerabilities:
• Is your data backed up and stored in a secure off-site location?
• Is your data stored in the cloud? If yes, how exactly is it being protected from cloud
vulnerabilities?
• What kind of network security do you have to determine who can access, modify, or delete
information from within your organization?
• What kind of antivirus protection is in use? Are the licenses current? Is it running as often
as needed?
• Do you have a data recovery plan in the event of a vulnerability being exploited?

8.1.3 IT Risk
If your business relies on information technology (IT) systems such as computers and networks
for key business activities you need to be aware of the range and nature of risks to those
systems. Risk is defined as the potential for loss or damage when a threat exploits a
vulnerability. Examples of risk include:
• Financial losses
• Loss of privacy
• Damage to reputation
• Legal implications
• Even loss of life

8.1.3.1 Information Technology Risk Management

Information technology (IT) plays a critical role in many businesses. It is important to identify
risks to your IT systems and data, to reduce or manage those risks, and to develop a response
plan in the event of an IT crisis. Business owners have legal obligations in relation to privacy,
electronic transactions, and staff training that influence IT risk management strategies. The
banking industry uses information technology risk management to manage its risk exposure by
measuring, monitoring and mitigating the potential threats that are inseparably tied to its day-
to-day operations. IT risk management in the banking sector should be addressed by adopting
a holistic approach. As a first step in managing IT risks, you should be aware of the legal and
legislative requirements for business owners (ICT Act 2006, Data Security Act 2018, ICT

Intermediate Level IT Manual for NCC Bank Limited Page | 106

Security Guideline of Bangladesh Bank, etc.). Moreover, managing information technology
(IT) risks is a structured process that involves a series of activities:
• IT Risk Identification
• IT Risk Assessment
• IT Risk Mitigation
✓ Risk Acceptance and Sharing
✓ Risk Avoidance
✓ Risk Transfer

IT Risk Identification: Risk identification is the process of taking stock of an organization’s

risks and vulnerabilities and raising awareness of these risks in the organization. It is the
starting point for understanding and managing risks. Asking yourself insightful questions can
reveal weaknesses in IT operations that you may not have considered. For example, is your
data safe? Are all your employees properly trained? What would happen if you lost your data
communication? If a serious incident occurred, would you know how to handle it and who was
responsible? If you think of a question like this that you cannot answer, it represents a risk that
needs to be better managed. You can consult with an expert, it could help you identify risks.
You can perform internal and external research and audit to identify risks in IT operations. All
employees, especially key stakeholders, may have some insight on risks that they seek
employee feedback regularly. Customers may help in risk identification as well. What do
customers most often complain about or what types of issues do they report? If there are
multiple people complaining about the same process, it’s likely that there is an associated risk.
There are many business and technological software that may help identify and classify risks.

IT Risk Assessment: An effective IT risk assessment identifies serious risks, based on the
probability that the risk will occur, and the costs of business impacts and recovery. To complete
your IT risk assessment, identify risks to your business and perform a business impact analysis.
Still, certain measures help you assess threats regularly, so you can be better prepared when a
situation does happen. Here are some ways to do so:
• Ensure your team members are staying informed of current trends in cybersecurity so
they can quickly identify new threats. They should subscribe to blogs (like Wired) and
podcasts (like Techgenix Extreme IT) that cover these issues, and join professional
associations so they can benefit from breaking news feeds, conferences, and webinars.

Intermediate Level IT Manual for NCC Bank Limited Page | 107

 • Perform regular threat assessments to determine the best approaches to protecting a
system against a specific threat, along with assessing different types of threats.
• Conduct penetration testing by modeling real-world threats in order to discover
vulnerabilities.

IT Risk Mitigation
Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.
Risk mitigation takes steps to reduce the negative effects of threats and disasters. Threats that
might put a business at risk include cyberattacks, weather events and other causes of physical
or virtual damage. Risk mitigation is one element of risk management and its implementation
will differ by organization. There are several types of risk mitigation strategies. Often, these
strategies are used in combination with each other, and one may be preferable over another,
depending on the company's risk landscape. They are all part of the broader practice of risk
management.
• IT Risk Acceptance and Sharing: Risk acceptance is accepting a risk for a given
period of time to prioritize mitigation effort on other risks. This technique
involves accepting the risk and collaborating with others in order to share responsibility
for risky activities. Partnering with others to share the risk associated with a part of the
job is advantageous. If a risk event occurs, the partners absorbs all or part of the
negative impact of the event.
• IT Risk Avoidance: Risk avoidance is used when the consequences are deemed too
high to justify the cost of mitigating the problem. For example, an organization can
choose not to undertake certain business activities or practices to avoid any exposure to
the threat they might pose. Risk avoidance is a common business strategy and can range
from something as simple as limiting investments to something as severe as not building
offices in potential war zones.
• IT Risk Transfer (Insurance): Risk transfer refers to a risk management technique in
which risk is transferred to a third party. In other words, risk transfer involves one party
assuming the liabilities of another party. Purchasing insurance is a common example of
transferring risk from an individual or entity to an insurance company. It is impossible
for a business to prevent or avoid all IT risks and threats. This makes business insurance
an essential part of IT risk management and recovery planning. You should regularly
review and update your insurance, especially in light of new or emerging IT risks, such
as the increasing use of personal mobile devices for workplace activities.

Intermediate Level IT Manual for NCC Bank Limited Page | 108

8.1.3.2 How to Control and Reduce IT Risk?
Threats and risks to information technology (IT) systems and data are an everyday reality for
most modern businesses. You should put in place measures to protect your systems and data
against theft and hackers.
Improve IT security: To help protect your IT systems and data you should:
• secure computers, servers and wireless networks
• use anti-virus and anti-spyware protection, and firewalls
• regularly update software to the latest versions
• use data backups that include off-site or remote storage
• secure your passwords
• train staff in IT policies and procedures
• understand legal obligations for online business.

Induction and IT Training for Staff: Training new and existing staff in your IT policies,
procedures and codes of conduct is an important component of IT risk management strategies.
Training can cover key business processes and policies, such as:
• safe handling of infected email
• protecting the privacy of customer details
• priority actions in the event of an online security breach.
Providing support and training for new employees is a critical aspect of staff training.

Design a Business Continuity Planning: Having identified risks and likely business impacts,
the development of a business continuity plan can help your business survive and recover from
an IT crisis. A business continuity plan identifies critical business activities, risks, response
plans and recovery procedures.

Develop IT Risk Management Policies and Guidelines: IT policies and guidelines explain
to staff, contractors and customers the importance of managing IT risks and may form part of
your risk management and business continuity plans. Security policies and guidelines can assist
your staff training on issues such as:
• safe email use
• setting out processes for common tasks
• managing changes to IT systems
• responses to IT incidents.

Intermediate Level IT Manual for NCC Bank Limited Page | 109

A code of conduct can provide staff and customers with clear direction and define acceptable
behaviors in relation to key IT issues, such as protection of privacy and ethical conduct.

Develop an IT Risk Management Plan: Reduce your potential for risk by creating and
implementing a risk management plan. Here are the key aspects to consider when developing
your risk management strategy:
• Assess risk and determine needs
• Include a total stakeholder perspective
• Designate a central group of employees
• Implement appropriate policies and related controls
• Monitor and evaluate policy and control effectiveness

8.2 IT Audit
Now-a-days, computers are being widely used for performing routine jobs and as aids for
decision-making and other managerial purposes. In fact, computers have revolutionized the
technique of data processing. They have made integrated information systems possible in the
fields of banking, accounting and financial management for operation, management, planning,
controlling and decision-making.

Study of current banking industry reveals the fact that most of the banks in Bangladesh are
performing their banking business and operations using banking software through centralized
banking software. While using such banking software banks have become highly dependent on
information technology and systems. Hence security of Information System of financial
institutions/bank has therefore gained much greater importance, and it is vital to ensure such
risks are properly identified and managed. Moreover, information and information systems are
essential assets of the banks and as well as for their customers and stakeholders. Information
assets are critical to the service provided by the banks to their customers. Protection and
maintenance of these assets are critical to the organizations’ sustainability. Bank must take the
responsibility of protecting the information from unauthorized access, modification, disclosure
and destruction to protect customer’s interest. In order to ensure security and protection of such
Information Assets, Information Systems audit has become essential for our banks. For
performing IS audit, understanding of the Information Technology Infrastructure becomes
necessary for the auditors in formulating the general approach and specific techniques to audit
the banking information and information systems prepared under computerized system.

Intermediate Level IT Manual for NCC Bank Limited Page | 110

An Information technology audit scrutinizes and evaluates an organization’s information
technology infrastructure applications, data use and management, policies, procedures, and
operational processes against recognized standards or established guidelines. Audits assess if
the controls to protect information technology assets ensure integrity and are aligned with the
organizational goals and objectives.

Information technology audits identify whether IT controls protect corporate assets, ensure data
integrity, and align with the business’s overall goals. IT auditors examine physical security
controls and general business and financial controls that involve information technology
systems. Operations at modern companies are increasingly computerized, IT audits are used
to certify information-related rules and processes are working correctly. Following are the
points which are necessary for an IT audit:
• Organization risks are reduced
• Fraud detection and prevention
• Improves the security of data
• Enhances IT governance

Executing an IT audit
Having defined the controls expected to be in place, the IT auditor gathers the evidence to
determine whether the stated rules are designed and operating effectively. It may require
subjective judgment on the auditor’s part and is where the IT auditor’s experience can bring
real value to the exercise. Therefore, it is crucial for a financial organization to detect the
system’s disparity. However, an internal/external audit can help banks to take steps to rapidly
recognize technology security risks so that banks can manage them as quickly, precisely, and
completely.

8.3 IT Governance (ITG)

IT governance (ITG) is defined as the processes that ensure the effective and efficient use of
IT in enabling an organization to achieve its goals. According to the IT Governance Institute,
“IT governance is the responsibility of executives and the board of directors, and consists of
leadership, organizational structures, and processes that ensure that the enterprise’s IT
sustains and extends the organization’s strategies and objectives.”

Intermediate Level IT Manual for NCC Bank Limited Page | 111

Fundamentally, governance is about establishing policy. It’s about implementing structure
around how the banks align their IT strategy with their business strategy, to ensure that they
stay on track to achieve their strategic goals, and implement effective ways to measure the
banks’ IT performance. Chief Information Officers (CIOs), Head of Its (HoITs), and Project
Managers have the responsibility to implement mandates and internal policies to ensure that
all stakeholders’ interests are considered and that they provide measurable results.

Importance of ITG
The importance of IT governance is that it achieves desired outcomes and behavior. The
relationship between IT governance and effective value creation of IT investments has long
been recognized and is cited as the reason for achieving excellence in the management of IT.
It provides a focus on cost and allows effective communication between the customers and
providers by establishing joint accountability for IT investments. Enforcing the governance
processes is articulated by IT portfolio management and is used by IT leaders to manage their
banks’ IT investments, projects and resources in an effort to review opportunities, reduce
redundancy across the IT environment, and drive cost savings. Governance offers a formula
for success and allows leaders within agencies to be active in the strategic management of IT.

8.4 ICT Guidelines of Bangladesh Bank

The banking industry has changed the way of providing services to their customers and
processing of information in recent years. Information and Communication Technology (ICT)
has brought this momentous transformation. Electronic banking is becoming more popular and
enhancing the adoption of financial inclusion. Security of Information for financial institutions
has therefore gained much importance and it is vital for us to ensure that the risks are properly
identified and managed. Moreover, information and information technology systems are
essential assets for the Banks and Non-Bank Financial Institutions (NBFIs) as well as for their
customers and stakeholders. Information assets are critical to the services provided by the
Banks and NBFIs to their customers. Protection and maintenance of these assets are important
to the organizations’ sustainability. Banks and NBFIs must take the responsibility of protecting
the information from unauthorized access, modification, disclosure and destruction.
Approaches of Banks and NBFIs for business leading to services are risk-based, which means
ICT risk is also associated with banking system that needs to be managed with thoughts and
efforts. This Guideline on ICT Security for Banks and NBFIs is to be used as a minimum
requirement and as appropriate to the level of technology adoption of their operations.

Intermediate Level IT Manual for NCC Bank Limited Page | 112

8.4.1 Objectives of the Guidelines
This Guideline defines minimum control requirements to which each Bank or NBFI must
adhere. The primary objectives of the Guideline are:
• To establish a standard ICT Security Policy and ICT Security Management approach
• To help the Banks and NBFIs for secured setup of its ICT infrastructure
• To establish a secured environment for the processing of data
• To establish a holistic approach for ICT Risk management
• To establish a procedure for Business Impact Analysis in conjunction with ICT Risk
Management
• To aware stakeholders’ roles and responsibilities for the protection of information
• To prioritize information and ICT systems and associated risks those need to be mitigated
• To establish appropriate project management approach for ICT projects
• To aware and train the users associated with ICT activities for achieving the business
objectives
• To define procedure for periodic review of the policy
• To ensure the best practices (industry standard) of the usage of technology that is not
limited to this guideline
• To analyze security risks against faster adoption of Bring-Your-Own-Devices (BYOD)
• To minimize security risks for electronic banking infrastructure including ATM and POS
devices, payment cards, internet banking, mobile financial services, etc.

8.4.2 Applicability of the Guideline

This ICT Security Guideline is a systematic approach of controls to policies required to be
formulated for ensuring security of information and ICT systems. This Guideline covers all
information that are electronically generated, received, stored, replicated, printed, scanned and
manually prepared. The provisions of this Guideline are applicable for:
• Banks and NBFIs for all of their Information Systems.
• All activities and operations required to ensure data security including facility design,
physical security, application security, network security, ICT risk management, project
management, infrastructure security management, service delivery management,
disaster recovery and business continuity management, alternative delivery channels
management, acquisition and development of information systems, usage of hardware
and software, disposal policy and protection of copyrights and other intellectual
property rights.

Intermediate Level IT Manual for NCC Bank Limited Page | 113

8.5 An Overview of ‘ICT Act 2006’
In order to facilitate e-commerce and promote the growth of information technology, the
Information and Communication Technology Act (ICT) of 2006 of Bangladesh established
provisions with a maximum penalty of up to 10 years imprisonment or a fine of up to 10 million
taka or both. The ICT Act, 2006 as amended in 2013 is obviously quite a brilliant feat in the
cyber law field of Bangladesh. In Bangladesh, the ICT Act, 2006 was enacted to prevent
cybercrimes and regulates e-commerce.

The purpose of this Act is to guarantee the legal security of documentary communications
between persons, partnerships and the State, irrespective of the medium used; the consistency
of legal rules and their application to documentary communications using information
technology-based media, whether electronic, magnetic, optical, wireless or otherwise, or based
on technology combinations. The ICT Act promotes the Public Key Technology Trust Chain.
The law allows digital certificate infrastructure to be developed and managed by the Controller
of Certifying Authorities (CCA), including audits to be carried out.

The ICT law was formulated to promote the development of Bangladesh’s information and
communication technologies. The aim is to facilitate the use of information and communication
technologies to build the information society. Where the information contained in a document
is considered confidential by statute, confidentiality must be covered by appropriate means,
including on a communication network. Some Cyber Crimes which are to be dealt through this
act are follows:
• Hacking or unauthorized entry into information systems
• Introduction of viruses
• Publishing or distributing obscene content in electronic form
• Tampering with electronic documents required by law
• Fraud using electronic documents
• Violation of privacy rights such as STALKING
• Violation of copyright, trademark or trademark rights

8.6 An Overview of Digital Security Act, 2018

The jurisprudence of data protection stems from the right to privacy. Data protection and
privacy are recognized as fundamental rights. An individual’s “private life” includes the
protection of his or her personal data. Personal data, in principle, is information that identifies
an individual, or is related to the individual. Data, in the age of the fourth industrial revolution,

Intermediate Level IT Manual for NCC Bank Limited Page | 114

is considered as the new currency. The amount of data created and stored every day continues
to grow at an unprecedented rate, and data-driven disruptive technologies like Artificial
Intelligence, Internet of Things and Big Data are continuously challenging the legal framework
in every jurisdiction. Data protection laws by and large govern processing and handling of
personal information and aim to protect individuals to safeguard their privacy and protect their
personal information from being misused by others.

The basic distinction between “data” and “information” is that data is unprocessed, i.e. raw
facts, texts, figures, symbols or characters. Data, once refined or processed, transforms into
information, and becomes useful to users. The ICT Act, 2006 of Bangladesh was intended to
provide the legal framework and recognition to digital signature, electronic records and
controller of certifying authorities. It was not intended to deal with data privacy or data
protection, nor does it intend to do so now. However, the government of Bangladesh has
enacted the Digital Security Act, 2018, and the same was published through a gazette
notification on October 8, 2018. Digital Security Act, 2018, which is commonly known as the
Cyber Security Act in other jurisdictions, aims to promote confidentiality, integrity, and
availability of public and private information systems and networks with the goal to protect
individuals’ rights and privacy, economic interests and security in the cyberspace. Therefore,
the inherent purposes of the ICT Act, 2006 and the Digital Security Act, 2018 are therefore
distinct.

With the enactment of the Digital Security Act, 2018, Bangladesh has stepped into the data or
information protection regime. Section 26 of the Digital Security Act, 2018 defines personal
data as “identity information”. Section 26 requires that an individual’s explicit consent or
authorization be obtained for collecting, selling, storing/preserving, supplying or using his or
her identity information.

Section 26 defines any external, biological or physical information or any other information
which identifies a person or system singly or jointly as “identity information”. This includes
name, picture, address, date of birth, mother’s name, father’s name, signature, national identity
card, birth and death registration number, fingerprint, passport number, bank account number,
driving license, e-TIN number, electronic or digital signature, username, credit or debit card
number, voice print, retina image, iris image, DNA profile, security question, etc. Collecting,
selling, preserving, supplying, or using such “identity information” without the individual’s
explicit consent or authorization is a crime, which is punishable for a maximum term of five
years’ imprisonment, or for a penalty of Tk 5 lakh maximum, or both.
Intermediate Level IT Manual for NCC Bank Limited Page | 115
Consent/authorization unequivocally is the decisive factor, as far as Section 26 is concerned,
and unless consent/authorization is expressly given by the information/data subject, processing
identity information is prohibited. Section 26 appears to interpret consent “strictly”, which
means without consent, or once the consent is withdrawn, information cannot be used or
processed. However, Digital Security Act, 2018 does not appear to contain further provisions
to administer regulation of consent or processing identity information by an individual. Digital
Security Act, 2018 in its preamble defines an “individual” as an organization or public or
private entity or a body created by law.

Section 26 can have an immense impact in Bangladesh’s digital economy, especially the
telecommunication, e-commerce, banking and fintech industries. Companies in these industries
handle a huge amount of customer data in electronic or digital form every day. Besides, there
are entities that collect customer information/data. This information/data is mostly customer
names, their cell phone numbers and email addresses that are regularly shared with various
entities for sending bulk SMSs, phone calls and emails for marketing purposes. Post-enactment
of the Digital Security Act, 2018, telecommunication, e-commerce, and fintech companies,
banks, third parties and other entities now must obtain authorization or consent, from the
individuals (principal) whose identity information/data they are handling, or are required to
revalidate their respective privacy terms and conditions in order to comply with Section 26.
Breach or non-compliance of Section 26 could trigger potential criminal liabilities against such
entities. Breach could result from absence of consent or for breach of any conditions of such
consent too. Any pre-executed privacy policies or privacy terms and conditions must now be
construed in accordance to Section 26(1), to ensure that an individual’s identity information is
used lawfully, and for the purpose it was collected for.

Sample Questions:
1. What are the common threats and risks of an online bank?
2. What is IT risk? How can we manage and reduce IT risks in banks?
3. What is the role of IT Audit in banks? Can it reduce IT Risk?
4. What is IT Governance (ITG)? What is the importance of ITG in banks?
5. Though we have “Information and Communication Technology Act (ICT) – 2006”,
why do we also need “Digital Security Act, 2018” to protect our banks and customers?

Intermediate Level IT Manual for NCC Bank Limited Page | 116

References
Acosta, N., 2020. What Is IT Security? - Information Technology Security. [online] Cisco.
Available at: <https://www.cisco.com/c/en/us/products/security/what-is-it-security.html>
[Accessed 27 January 2022].
Bangladesh Mobile Financial Services (MFS) Regulations, 2018.
BIBM. (2021, 09 01). IT Operations of Banks 2020. IT Operations of Banks 2020, pp. 1-50.
Cavus, Nadire & Chingoka, Dambudzo. (2016). Information technology in the banking sector:
Review of mobile banking. Global Journal of Information Technology. 5. 62.
10.18844/gjit.v5i2.196.
Cybercrime Survey Report: Insights and Perspectives, KPMG, 2017
FRANKENFIELD, J., 2022. Virtual Currency. [online] Investopedia. Available at:
<https://www.investopedia.com/terms/v/virtual-currency.asp> [Accessed 10 January 2022].
Fundamentals of Information Systems by Ralph M. Stair, George W. Reynolds
Hasson, E. and Lynch, B., 2021. What is Social Engineering | Attack Techniques &
Prevention Methods | Imperva. [online] Imperva. Available at:
<https://www.imperva.com/learn/application-security/social-engineering-
attack/#:~:text=Social%20engineering%20is%20the%20term,in%20one%20or%20more%20
steps> [Accessed 12 January 2022].
http://pioneerjournal.in/conferences/tech-knowledge/15th-national-confernce/3899-benefits-
of-it-in-banking-sector.html
https://afteracademy.com/blog/what-is-a-network-interface-card
https://ajsh.in/
https://bank.caknowledge.com/importance-technology-banking/
https://cleartax.in/g/terms/kiosk-banking
https://cloudbusiness.com/risks-outsourcing-it-services-banking/
https://en.wikipedia.org/
https://iosafe.com/data-protection-topics/3-types-of-backup/ [Accessed 27 January 2022].
https://phoenixnap.com/kb/distributed-database [Accessed 27 January 2022].
https://pubdocs.worldbank.org/en/230281588169110691/Digital-Financial-Services.pdf
https://razorpay.com/blog/how-online-card-payments-work/
https://searchdisasterrecovery.techtarget.com
https://spanning.com/blog/types-of-backup-understanding-full-differential-incremental-
backup/ [Accessed 15 February 2022].
https://study.com/academy/lesson/telecommunications-hardware-routers-modems-switches-
bridges-and-gateways.html

Intermediate Level IT Manual for NCC Bank Limited Page | 117

https://tahmidurrahman.com/cyber-law-of-bangladesh-internet-law-web-ict-act-rules-
regulations-punishment-and-rights-in-bangladesh/
https://uptimeinstitute.com
https://us.norton.com/internetsecurity-how-to-computer-maintenance.html
https://www.axisbank.com/bank-smart/cash-deposit-machine/features-and-benefits
https://www.bai.org/banking-strategies/article-detail/why-contact-centers-matter-in-a-digital-
age/
https://www.bb.org.bd/
https://www.bizjournals.com/sanfrancisco/news/2016/06/14/how-to-structure-it-staff-to-
encourage-innovation.html
https://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/
https://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/
https://www.britannica.com/technology/machine-language
https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-
risk-management
https://www.businessinsider.in/difference-between-compiler-and-
interpreter/articleshow/69523408.cms#:
https://www.chetu.com/blogs/payments/what-are-the-benefits-of-core-banking-solutions.php
https://www.cisco.com/
https://www.computerscience.gcse.guru/theory/high-low-level-languages
https://www.digipay.guru/
https://www.fisglobal.com/en/insights/what-we-think/2019/april/why-banks-should-
outsource-it
https://www.gartner.com/en/information-technology/glossary/gateway
https://www.geeksforgeeks.org/components-of-data-communication-system/ (Data Retrieved
on January 24, 2022)
https://www.guru99.com/types-of-computer-network.html (Data Retrieved on January 25,
2022)
https://www.ifec.org.hk/web/en/financial-products/fintech/virtual-bank/what-is-a-virtual-
bank.page [Accessed 16 February 2022]
https://www.investopedia.com/terms/a/atm.asp
https://www.investopedia.com/terms/p/point-of-sale-terminal.asp
https://www.javatpoint.com/router (Data Retrieved on January 25, 2022)

Intermediate Level IT Manual for NCC Bank Limited Page | 118

https://www.oreilly.com/
https://www.paloaltonetworks.com/cyberpedia/what-is-a-data-center
https://www.policybazaar.ae/magnetic-stripe-card-vs-chip-card-which-one-is-better-ccart/
https://www.spitamenbank.tj/en/press-center/competence/-s-Plastic+Cards/
https://www.techopedia.com/definition/29859/tier-3-data-center
https://www.thedailystar.net/opinion/human-rights/news/bangladesh-steps-the-data-
protection-regime-1726351
https://www.theglobaltreasurer.com/2019/02/11/outsourcing-and-the-banking-sector-
problems-and-prospects/
https://www.toppr.com/guides/computer-science/computer-fundamentals/software-
concepts/utility-software/
https://www.travasecurity.com/resources/the-difference-between-threat-vulnerability-and-
risk-and-why-you-need-to-know
https://www.tutorialspoint.com/
https://www.zdnet.com/education/computers-tech/what-is-computer-programming/
https://www.zoho.com/
ICT Security Guidelines of BB
Javatpoint. 2022. DBMS | Types of Databases - javatpoint. [online] Available at:
<https://www.javatpoint.com/types-of-databases> [Accessed 10 January 2022].
Javatpoint. 2022. Types of Artificial Intelligence - Javatpoint. [online] Available at:
<https://www.javatpoint.com/types-of-artificial-
intelligence#:~:text=Reactive%20Machines,as%20per%20possible%20best%20action>[Acce
ssed 19 January 2022].
Kim, D. and Solomon, M.G., 2013. Fundamentals of information systems security. Jones &
Bartlett Publishers.
Laudon, K.C., 2017. Management information systems: Managing the digital firm. Pearson
Education India.
Lewis, S., 2020. What is a Security Operations Center (SOC)?. [online] TechTarget.
Available at: <https://www.techtarget.com/searchsecurity/definition/Security-Operations-
Center-SOC> [Accessed 10 January 2022].
Mahawar, M., 2022. Role of Management Information System in Banking Sector Industry.
[online] http://www.madhavuniversity.edu.in/. Available at:
<https://madhavuniversity.edu.in/role-of-management-information-system.html> [Accessed 9
January 2022].
Management Information Systems Moving Business Forward by R. Kelly Rainer, Brad Prince,
Hugh J. Watson

Intermediate Level IT Manual for NCC Bank Limited Page | 119

Management Information Systems Moving Business Forward by R. Kelly Rainer, Brad
Prince, Hugh J. Watson.
Prasad, R. and Rohokale, V., 2020. Cyber Security: The Lifeline of Information and
Communication Technology. Springer International Publishing.
Quarterly Report on Agent Banking, BB
SailPoint. 2022. What is Data Access Control?. [online] Available at:
<https://www.sailpoint.com/identity-library/what-is-data-access-control/> [Accessed 8
January 2022].
Singh, M., Tanwar, K.S. and Srivastava, V.M., 2018, August. Cloud computing adoption
challenges in the banking industry. In 2018 International Conference on Advances in Big Data,
Computing and Data Communication Systems (icABCD) (pp. 1-5). IEEE.
Srivastava, A., Singh, S.K., Tanwar, S. and Tyagi, S., 2017, September. Suitability of big data
analytics in Indian banking sector to increase revenue and profitability. In 2017 3rd
international conference on advances in computing, communication & automation
(ICACCA)(Fall) (pp. 1-6). IEEE.
Srivastava, U. and Gopalkrishnan, S., 2015. Impact of Big Data Analytics on Banking Sector:
Learning for Indian Banks. Procedia Computer Science, 50, pp.643-652.
Tan, P.N., Steinbach, M. and Kumar, V., 2016. Introduction to data mining. Pearson Education
India.
thefinancialexpress.com.bd. August 01. Accessed November 24, 2021.
https://thefinancialexpress.com.bd/economy/bangladesh/cryptocurrency-trading-neither-
legal- nor-crime-bb-1627437769.
Vasilieva, E.V., Solyanov, K.S. and Konevtseva, T.D., 2019. Adaptive data warehouse as the
technological basis of the banking ecosystem. Finansy: teoriya i praktika= Finance: Theory
and Practice, 24(3), pp.132-146.
Virtual Banking – All You Need to Know By TechFunnel Contributors - Last Updated on July
3, 2020 [Accessed 16 February 2022]
Website of NCC Bank Ltd. (https://www.nccbank.com.bd/)
www.bb.org.bd. Accessed November 24, 2021. https://www.bb.org.bd/econdata/.
www.thedailystar.net. July 29. Accessed November 24, 2021.
https://www.thedailystar.net/business/news/cryptocurrency-trading-not-allowed-
all- bangladesh-bank-2140141.

Intermediate Level IT Manual for NCC Bank Limited Page | 120