IT SECURITY PROCEDURES AND GUIDELINES

ADRIJA SEN

INTRODUCTION
Major advantage of computer data storage. All data and information stored. Minimizes paper work. Networking of branches and banks provide service through internet or mobile. Expose the data across the globe. Serious problem relating to data integrity and security.

OBJECTIVE OF PROVIDING DATA SECURITY

1. To guarantee a certain level of availability of services. 2. To guarantee the integrity of the data exchanged and stored. 3. To guarantee the confidentiality of the data exchanged and stored. 4. To guarantee the authenticity of the user. 5. The data and the systems can be audited whenever required and generate sufficient audit trails to detect any misuse

THREATS
Accidental damages (beyond ones control) Environmental hazards, Errors and Omissions. Malicious damages (more serious nature)

Most common cause to computer installations, equipment and data. ENVIRONMENTAL HAZARDS Spikes in power and improper grounding (earthing). Excessive humidity, water seepage and the floods. Radio transmissions affecting data transmissions. ERRORS AND OMISSIONS System design and process development. Program maintenance and while carrying out correction procedures. Data entry at the time of terminal operations.

ACCIDENTAL DAMAGES

EFFECT OF ACCIDENTAL DAMAGES

Significant commercial consequences. Required to pay a close attention to the planning of computerized systems. Opportunities of fraud may arise because of poor systems design.

MALICIOUS DAMAGES
A computerized environment provides a number of new opportunities for fraudsters. Primarily due to the ease with which fraudsters can hide their actions on computer systems From disgruntled employees who wish to disrupt the service From individuals with wrong intentions to use technology for perpetration fraud for financial gains.

Interruption in banking services. Services get affected immediately - links to automated teller machines, POS or other electronic networks are brought down. Insufficient processing capacity to cope with the additional load. Lead to suspension of the banking facility unless adequate contingency plans have been specified and tested beforehand. Consequential cost of serious system failure exceeds cost of replacing damaged equipment, data or software. Loss of time.

EFFECT OF MALICIOUS DAMAGES

Securities Fraud
Special program - utility program used to make unauthorized changes to computerized records that bypass the normal control facilities built into the computer systems. Unauthorized manipulation to programs or data that bypasses password is to remove the relevant files from primary location, transport these to another computer and returned after manipulation. Unauthorized amendments made to the payment instructions prior to their entry into the computer system. Unauthorized changes to programs made during routine development or maintenance which cause program to generate accounts or remove records of transaction.

Securities fraud
A practice that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of the securities laws.
Theft of financial resources from organization, suppliers or customers

Who are the Victims?

Private Business
Government Private Individuals

Types of securities fraud

Corporate fraud
Internet fraud Accountant fraud Mutual Fund fraud

Network Security
Network:A network'' has been defined as any set of interlinking lines resembling a net, a network of roads parallel and interconnected system, a computer network is simply a system of interconnected computers.

Network Security:Controlling system to prevent any accidental and/or intentional data loss.

we need security from...

Unauthorized access:Viruses:It is gaining access into any computer, network, program file, or other private account, without the express permission of the owner. Unauthorized access is the same as theft. A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are manmade

Hackers:-

It is a term used by some to mean "a clever programmer" and by others, especially those in popular media, to mean "someone who tries to break into computer systems."

Way to Secure Data

Cryptography

Antivirus
Firewall

Antivirus

Anti-virus is the name given to software that detects and removes viruses from messages. By removing viruses at the email server, all internal mail clients are protected AND all customers are protected from receiving viruses too.

Firewalls

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both Hardware and Software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially Intranet. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified Security criteria.

Advantages
1. 2. 3. 4. 5. Network security safeguard our data from.. Hackers Unauthorized access Viruses Network security makes our system Robust Network security makes the system Reliable

Encryption To maintain secrecy.

CRYPTOGRAPHY (DATA ENCRYPTION)

Ensures message is not altered fraudulently or accidentally

Plain text
Cypher text

Public key Known by all the business partners

Private key User alone knows

SYMMETRIC KEY MECHANISM

ASYMMETRIC KEY MECHANISM

CRYPTOGRAPHY
Ciphertext
Internet

Plaintext

Encrypt

Decrypt

Plaintext

K
User

K
Server

C = EncryptK (P) P = DecryptK (C)

SYMMETRIC KEY CRYPTOGRAPHY

Single Key Secret Key, Private Key, Symmetric Key Used for both encryption and decryption of message.

Sender and recipient must possess same secret key.

Not useful on large networks like internet. Useful when network is very small and parties are already known to each other.

KEY series of characters which is fabricated carefully using numerical values to encode a message. can be read by person in possession of that key or any other related key. This type of cryptography is very powerful and uses public keys. KEY SECRECY Public key code are not the secrecy issues. Private key must be secret and not shared with anyone. Private key compromised security is threatened.

ASYMMETRIC KEY CRYPTOGRAPHY

COMPUTER SECURITY

COMPUTER SECURITY

Physical Security

Logical Security

Network Security

Biometric Security

Intrusion prevention locking, guarding Intrusion detection Disturbance sensors Barrier detectors Buried line detectors Surveillance Document security Power protection Water protection Fire protection Contingency planning

PHYSICAL SECURITY

Make complete and detailed inventory of all hardware and equipment. Make use of alarm systems to prevent equipment being stolen. Regularly take backup of all software, data and databases on a backup media. Keep the backup in secure and protected place. Encrypt confidential data/information. Entry in office premises should be restricted Proper systems for identification of outsiders in the premises.

STEPS INVOLVED IN PHYSICAL SECURITY

DOCUMENT SECURITY
Prepare inventory of all important records. Identify persons responsible for different types of records. Classify and store the records which are vital to the bank. Dispose off all those records which are not required. Transfer all important records to safe storage media. Hard copies should be secured in plastic containers.

Off-site arrangement of storing all important records should be there

LOGICAL SECURITY
Related with software access control. Software resources and applications require to be protected. Barrier to be maintained between the users and software resources. Access control to resources is based on 2 levels:Authorization Authentication of authorized person. Data Base Administrator (DBA) provides rights to different types of users to access particular software. Authentication Process of verification of identity of user who is going to login into the system.

Some computer systems provide special levels of security. Multi-access control involved at User level Only authorized user can enter the program Terminal level If user knows password of the system itself, he/she can go further. Menu level If the user knows the password for reaching next level he can go further. File level If the user knows the password to manipulate file, only he/she can do so Application level If the user knows the password for running the application, only he/she can do so

Internal access control Involve particular information like date, time, identification of user, etc. Limiting the number of unsuccessful attempt System gets locked when wrong password is entered for specific number of times. Limiting audit trail Back up is created itself and even the access situations can be known. Limiting access of the users to directories Access of users limited only to particular directories or subdirectories or files and packages. Encryption of data and files Can be opened only through symmetric and asymmetric key.

 Data and resources are shared on LAN. Network requires great deal of security from intruders. Physical intrusion When intruders has physical access to nodes. - Can use computer to get the network. - Can remove peripherals from system - From one system, data can be sent to another system in unauthorized manner. System intrusion Intruder is a person, has some rights to use user account. - If no proper checks in system, intruder may enter different packages to gain administrative advantages for which he is not authorised.

NETWORK SECURITY

Remote intrusion When intruder tries to penetrate a system from remote location across the network Hacking.

BIOMETRIC SECURITY
Technique to measure physical characteristics which is capable of verifying the identity of an individual Two types:Physiological More reliable Behavioural

Physiological Technology involves Finger or Hand Pattern Recognition Highest level of identification; mature and reliable technology Voice recognition Pattern of pronouncing words; frequency characterisation and mannerism taken into account in these techniques. Iris Recognition Freshly taken video picture of iris is compared with stored template. Behavioural Technology Signature recognition

THANK YOU