Security Organization Organizations should make explicit security plan and document it. There should be a separate Security Officer / Group dealing exclusively with information systems security. The Information Technology Division will actually implement the computer systems while the Computer Security Officer will deal with its security. The Information Systems Auditor will audit the information systems.
Access Control Logical access controls should be implemented on data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies.
Firewalls: At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real-time security alert.
Isolation of Dial Up Services All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server.
Security Infrastructure At present, PKI is the most favored technology for secure Internet banking services. However, it is not yet commonly available. While PKI infrastructure is strongly recommended, during the transition period, until IDRBT or Government puts in the PKI infrastructure, the following options are recommended.
Usage of SSL, which ensures server authentication and the use of client side certificates issued by the banks themselves using a Certificate Server.
The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself.
Isolation of Application Servers It is also recommended that all unnecessary services on the application server such as ftp, telnet should be disabled. The application server should be isolated from the e-mail server.
Security Log (audit Trail) All computer accesses, including messages received, should be logged. All computer access and security violations (suspected or attempted) should be reported and follow up action taken as the organization’s escalation policy.
Penetration Testin The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:
Attempting to guess passwords using password-cracking tools
Search for back door traps in the program
Attempt to overload the system using DdoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.
Check if commonly known holes in the software, especially the browser and the e-mail software exist.
The penetration testing may also be carried out by engaging outside experts (often called ‘Ethical Hackers’).
Physical Access Control: Though generally overlooked, physical access controls should be strictly enforced. The physical security should cover all the information systems and sites where they are housed both against internal and external threats.
Back up & Recover: The bank should have a proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy. Business continuity should be ensured by having disaster recovery sites where backed-up data is stored. These facilities should also be tested periodically.
Monitoring against threats: The banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches
Education & Review: The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate on a continuous basis their security personnel and also the end-users.
Log of Messages: The banking applications run by the bank should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. (When stored in encrypted form, it should be possible to decrypt the information for legal purpose by obtaining keys with owners’ consent.)
The banks should use only those security solutions/products which are properly certified for security and for record keeping by independent agencies (such as IDRBT).
Maintenance of Infrastructure: Security infrastructure should be properly tested before using the systems and applications for normal operations. The bank should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions which give better security and control.
All banks having operations in India and intending to offer Internet banking services to public must obtain an approval for the same from RBI. The application for approval should clearly cover the systems and products that the bank plans to use as well as the security plans and infrastructure. RBI may call for various documents pertaining to security, reliability, availability, auditability, recoverability, and other important aspects of the services. RBI may provide model documents for Security Policy, Security Architecture, and Operations Manua
Standing Committee RBI may set up a standing Committee to monitor security policy issues and technologies, to review prescribed standards, and to make fresh recommendations on a regular basis.
