Basic Cyber Security Framework for Primary (Urban)

Cooperative Banks (UCBs)

• Titled “Basic Cyber Security Framework for Primary (Urban) Cooperative
Banks (UCBs)”, the letter talks of increasing usages of IT solutions in the
banks and the risks emanating thereof.
• It asks all UCBs to immediately
put in place a Cyber Security policy, duly approved by their Board/Administrator
give a framework and the strategy containing a suitable approach to check cyber
threats
• This Cyber Security Policy is distinct from that of the IT policy or IS Policy
of the UCB.
• It also asks to keep a proper record of the entire process to enable
supervisory assessment.
Highlights of the Circular (circular attached)
The circular in question broadly talks about the following points:
• Inventory Management of Business IT Assets
• Preventing access of unauthorised software
• Environmental Controls
• Network Management and Security
• Secure Configuration
• Anti-virus and Patch Management
• User Access Control / Management
• Secure mail and messaging systems
• Removable Media
• User/Employee/Management Awareness
• Customer Education and Awareness
• Backup and Restoration
• Vendor/Outsourcing Risk Management
Inventory Management of Business IT Assets
• UCBs should maintain an up-to-date business IT Asset Inventory
Register.
• Classify data/information based on sensitivity criteria of the
information
• Appropriately manage and provide protection within and outside
UCB/network
Preventing access of unauthorised software
• Maintain an up-to-date and preferably centralised inventory of
authorised software(s)/approved applications/software/libraries, etc.
• Put in place a mechanism to control installation of
software/applications on end-user PCs, laptops, workstations, servers,
mobile devices, etc.
• Put in place a mechanism to block/prevent and identify installation
and running of unauthorised software/applications on such
devices/systems.
Environmental Controls
• Put in place appropriate controls for securing physical location of critical
assets (as identified by the UCB under its inventory of IT assets).
• Put in place mechanisms for monitoring of breaches/compromises of
environmental controls relating to temperature, water, smoke, access
alarms, service availability alerts (power supply, telecommunication,
servers), access logs, etc.
Network Management and Security
• Put in appropriate controls to secure wireless local area networks,
wireless access points, wireless client access systems.
• Critical infrastructure of UCB (viz., NEFT, RTGS, SWIFT, CBS, ATM
infrastructure) should be designed with adequate network separation
controls
Anti-virus and Patch Management
• Put in place systems and processes to identify, track, manage and
monitor the status of patches to servers, operating system and
application software running at the systems used by the UCB officials
(end-users).
• Implement and update antivirus protection for all servers and
applicable end points preferably through a centralised system.
User Access Control / Management
• Disallow administrative rights on end-user workstations/PCs/laptops
and provide access rights on a ‘need to know’ and ‘need to do’ basis.
• Implement appropriate (e.g. centralised) systems and controls to
allow, manage, log and monitor privileged/super user/administrative
access to critical systems (servers/databases, applications, network
devices etc.)
 City Union Bank
• City Union loses $2 million in cyberattack in Feb 2018.
• Compromised SWIFT messaging system payment instructions being
sent to other banks in multiple jurisdiction.

economictimes.indiatimes.com/articleshow/62956557.cms?utm_source=contentofinterest&utm_medium=text&utm_cam
paign=cppst