Information Security Awareness

Training for Users

PRESENTATION BY SBIICM HYD

Security Myths

There is nothing important on my computer

Technology alone can solve the security
problems
I dont have anything to contribute in the
security of my computer..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

This could happen from my PC..!!

Critical data is accessible to others because I

have left my PC/terminal unattended
Virus infection in my machine brings down
the entire branch/administrative office
My account (User ID) is used to commit fraud
because my password is weak
Frauds undermine the image of my Bank..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Why IS Security Policy?

Need to establish Information Security

strategy to achieve
Confidentiality,
Integrity and
Availability of the information and
information systems.
Regulatory requirement RBI audit will
now cover IS Policy compliance..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Banks IS Security Initiatives

Establishment of Information Security

Department for development,
updation, dissemination & compliance
review of Information Security Policy
Centralized Anti-Virus solution
Firewalls & Intrusion Detection Systems
Compulsory flow of policy awareness
among end users to prevent / report
occurrence of incidents..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

New IS Policy Version 3.0

Approved by ECCB in Sep11

Previous version 25 domains
New version 33 domains (8 new domains)
For end users all domains are not equally
important
Top priority area of IS Policy for majority end
users is Acceptable Usage Policy..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Acceptable Usage Standards

Desktop Usage
Antivirus
Laptop & other portable devices Security
Password Security
Internet Usage
E-mail Usage
Document & Storage Security
Incident Reporting
Information Security violations
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Desktop Usage

Initiatives by Bank
Implementation of desktop Secure Configuration Document
Patching of operating system at Bank level
Your Support
Screen savers are for more than cute pictures, enable the screen
saver with password protection
Taking a break Log off before you leave
Done for the day ..Shut down and power off
Protect the confidential file with password
Do not enable remember my password option on your PC
Modems- when I connect to Internet, the world connects to me
Installing software- licensed version only and required for business
purpose..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Anti virus

Initiatives by bank

Centralized anti-virus product/support team

Automated real time scan of all files
Automated virus signature update

Your support

Do not change anti-virus settings

Do not disrupt scheduled virus scan
Report if any virus is detected & not cleaned
Report if anti-virus agent is not working or not upto
date..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea I am responsible for the security of

my desktop or MPD

Use it as it is
Lock before you leave

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Password Security

Passwords should be easy to remember but

difficult to guess.
Weak passwords

Your personal information like name, initials,

names of family members or their variations
Common words found in dictionary
Patterns like 1111, aaaa etc..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Password Security

Strong Passwords
Min 8 characters
Mix of numbers (1,2..), capital letters (A,B..) and special
characters (!,@..)
Make simple words complex H1m@l@y@
First letter of sentence J&Jwuth
Note: Do not use these examples as your passwords
Change your password
Frequently - at least every 90 days
Immediately if you suspect somebody knows it
User should report to the System Official if account is
locked out before 3 invalid attempts..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Password Security

Do not share your passwords

Do not type your password

When someone else can see you

and dont look when someone else is typing

Do not write your password

If required, ensure it is adequately secured and

adequately masked or scrambled..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea

I am accountable for all actions carried

out using my user-id/password.

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Internet Usage

Initiatives by Bank

One central Internet gateway for all offices on SBIConnect

No separate Internet connection at SB-Connect
offices. Separate standalone connection permitted
with the approval of IT - networking dept only
Firewall, Anti-virus and URL filtering protection at
the gateway
User-id/password based access control
Bank has the right to monitor internet usage and
take appropriate action in case of misuse..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Internet Usage Guidelines

Access internet primarily for business purposes.

Occasional and reasonable personal use
Configure browser not to remember passwords
Set browser security to medium
Ensure that all downloads are scanned for virus before
opening
Users should not:
Download/distribute protected material
Access websites by clicking on links provided in
e-mails
Download free utilities - can be dangerous
Upload data belonging to the Bank
post views or opinions on behalf of the Bank on any
internet site without proper authorization..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea

The less I download and less I reveal, the

better off I am

Internet

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

E-Mail Usage

Initiative by Bank
Central E-Mail server
Your support
Save important mails for record purpose on your PC
Secure critical documents while sending over email
Zip the file with password protection
Verify From: address for important email
Exercise caution when clicking on Internet links provided
in e-mails

Do not use e-mail for critical transactions requiring legal

authentication of sender like payment or transfer of
money as it is difficult to legally establish the identity of
sender of email messages unless they are digitally
signed.
Do not send SPAM and chain mails..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

E-Mail Usage

Use only official email ID for business purposes

Do not use official e-mail ID
For personal work
For registration on Internet sites
Exercise caution with email attachments
Attachments can contain viruses
Never open attachments from an unknown person
Even if the person is known, do not open
If mail subject or attachment have
doubtful/dubious names
If you are not expecting an attachment..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

E-Mail Usage

Forward e-mails only if necessary

Do not forward spam mails / chain mails
Report spam to [email protected]
Do not solicit, encourage or engage in non
business behavior
Do not send material or use language that is
abusive, obscene or racist
Do not transmit any software or document that
is protected by copyright or any other law..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

E-Mail Usage

Email sent from official ID is equivalent to signed

official communication.
All official email communication should include
following details:

Subject - brief of the text to be sent, should not

be left blank.

Should contain name of sender along with

Designation, Department and Contact Number.

Should not be sent Anonymous or using generic

names like Designation or Department Name only.

Tag line or messages should not be used below

signature..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

E-Mail Account Protection

Protect the account with a strong password

Do not share your password
Do not subscribe to mailing lists or social
networking websites from your official e-mail
ID leads to mailbox overflow
Do not post messages to internet newsgroups
or discussion boards avoid spam attacks
Do not provide e-mail IDs of colleagues to any
website, mailing list, newsgroup, etc..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea

My email is as official as Banks letter

head.
It can be interpreted to represent the
bank.

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Document Storage & Security

Mark sensitive documents as confidential in

both print & electronic format
Do not leave confidential documents
unattended at any time
Adopt a clean desk policy reduce risk of
unauthorized access
Label removable media (Tape, CD, etc)
containing sensitive information as
Confidential..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security of Information

Donot discuss sensitive information with

outsiders / employees who do not need to
know
Do not discuss sensitive information in public
places
Donot give out sensitive information over
email/telephone
Donot leave sensitive documents on your
desk/printer/fax/ public places..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea

If the information is confidential, treat it

with caution.

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Incident Reporting Everybodys

Business

Report security incidents to

Local System Administrator/Service Desk

By e-mail to [email protected]

Possible incidents include..

Abnormal system resource usage

Abnormal, slow response for
application
Data corruption
Virus infection
Change in desktop settings
Account lockout
Violation of policy by others..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security Violations

Connecting modems to machines without

approval
Introducing virus
Sniffing on the network
Password guessing
Computer impersonation
Erasing or modifying data on central systems
without authority
Running scans or attack tools..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security Violations

Bypassing access control mechanisms

Exploiting any system vulnerability
Installing or distributing unlicensed software
Vandalism
Computer fraud or theft
Downloading or transmitting objectionable
content ( through e-mail or internet)..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Key Idea

Do not intentionally attempt to cause

harm to banks information systems

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

SECURITY IN APPLICATIONS
Core Banking
ATM
Internet Banking
Mobile Banking

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security in Core Banking

In B@ncs-24 system, there are three basic

entities:

User
Customer / Account
Transaction (Business Operation)

There are 3 security features available in

Core Banking:
1. Capability Level 2. Posting Restrictions
3. Data Security ..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

User-id in Core Banking:

The user-id in Core Banking is same as the

employee's Provident Fund (PF) number, which
ensures its uniqueness.
For close monitoring, the User-ids are linked to
the specific branch code to which the user
(staff member) is attached.
Further validation is carried by checking
against the user's security clearance level for
i) user group, ii) application and
iii) transactions ..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Revised Password protection in

CBS wef 05.11.2011

The password should contain minimum 8 and

maximum 10 characters
Password should contain atleast one alphabet in
capital letter, one numeral and one special
character.
System will not accept last 5 passwords at the
time of changing password.
The User ID will be suspended whenever the user
tries to login with a wrong password thrice.
The User ID can be reset only by an authorized
officer and approved by another officer..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Access Control in CBS

User access validation is carried out by:

Sign-on / sign-off at terminal and operator
levels
User capability level and user group level
(after successful sign-on)
Branch location
Terminal numbers are allotted to all users and
while logging in, a user should use the terminal
allotted to him / her..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Access Control in CBS (contd..) :

If away from the terminal only for a brief period,

users should lock their system by accessing the
icon provided on the screen.
At Branches a User Control Register is available
to record the details of changes & amendments of
user types, capability levels, forced closures, user
resets etc. User Control Register should be
meticulously maintained.
All accesses by the authorized users are tracked by
the system..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Transaction Security in CBS

For all user-input transactions, including

reversals and correction entries and those in
intermediate accounts, vouchers should be
prepared.
All transactions put through by users that
require authorization are sent for authorization
in Queue with a unique queue number.
The system generates Trace No. / Journal No.
for all the committed transactions, at the Host
(CDC) which ensures a unique identity for each
transaction..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security in ATM

Initiatives by Bank

Bankss ATM system is ISO 27001 certified

The physical security of ATMs is ensured by

access locks.

No one can enter the ATM kiosk without a valid

card.

Once inside the ATM, VSS (Video Surveillance

System) or DSS (Digital Surveillance System )
records activity..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

SECURITY IN ATM

Logical security is taken care of by the PIN. It is

impossible for anyone to operate the account
without the physical possession of the card and
knowledge of the PIN. These kind of security
which relies on two factors (something you have
and something you know) is called two-factor
authentication and is more secure than log-in id
and password.
Our ATM network is secure and robust, to satisfy
the security triad of confidentiality, integrity and
availability..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security in ATM

Your Support

Register your Mobile number at your Branch to get SMS alerts

for all your transactions
Change your PIN after first usage & periodically thereafter.
Never keep the PIN with the card. Never write it on the
card. Best to memorize it.
Dont use personal information like year of birth, vehicle no.
etc as your ATM PIN.
Hide keypad with one hand while keying in your PIN at ATM /
POS terminals.
Dont ask for help from strangers to operate the ATM.
Block and destroy your old card, when you get a new one..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security in ATM

Your Support

Insist on swiping your card in your presence at POS

terminals in hotels/shops/malls etc. Do not disclose your
PIN
Do not throw your transaction slip in ATM room; it
contains your account details and balance.
Do not transact if you observe any attachments or
unusual devices connected to the ATM.
Check your account statement periodically.
If you lose your card, Hot list it immediately. Call 1800112211 / 1800-4253800 for BSNL and MTNL Landline or
080 26599990 from any other landline / mobile phone..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Security in ATM

Your Support

Do not provide ATM card & PIN details to any one, not
even to the Bank/ IBA/RBI/ Govt. Agency. Bank or any
other institution will never ask for this information.
Never disclose your PIN or handover your ATM card to
anyone, not even to your family members.
Do not use the ATM, if you feel the place is "crowded" or
unsafe. Come back later
Before using State Bank ATM-CUM-DEBIT Card for online
transactions, register for SBI 3D Secure Service available
through www.onlinesbi.com.
Dont leave the ATM until your transaction is complete..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

SECURITY IN INTERNET BANKING

Initiatives by Bank
Verisign certified 256-bit SSL encryption
technology. ISO 27001 certified.
Addition of Third party : Secured & Unique
Multilevel password
Transaction in pre-defined accounts
Transfer up to defined limits
High Security option with SMS based password
Auto expiry of session
Virtual Key Board Facility
Stop payment of cheques online ( 8 to 8)
New feature - Lock User Access ..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

SECURITY IN INTERNET BANKING

Your support

Bank will never send you an e-mail asking you to submit

personal or financial information such as your username,
password, PIN number or credit card number.
Any e-mail which asks for such information is fraudulent
and should be deleted immediately. Any attempt to steal
personal information by sending fraudulent e-mails is
technically known as Phishing.
Do not be lured if you receive an e-mail promising you a
reward for providing your personal information and do
not be afraid if the email warns of an impending

penalty for non compliance..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

SECURITY IN INTERNET BANKING

Your support

Access OnlineSBI only by typing the URL:

www.onlinesbi.com in the address bar of your browser. Do
not click on links in any e-mail message to access the site.
If you receive any suspicious or fraudulent emails, forward
the same to us immediately at [email protected]
If you have accidentally revealed any confidential
information, report the same immediately at
[email protected]
If you receive an e-mail purportedly sent from a bank or a
trusted organisation, promising a reward or warning of
penalty for non compliance, verify its authenticity by
contacting the bank or the organisation..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS BASICS

Mobile banking model consists of four important components:

The Bank
Mobile Network Operator (MNO):
The Customer
Mobile Banking Technology Vendor (MBTV)
Mobile banking technologies can be categorized into two
environments:
Client Side Technologies: Built or embedded on a consumer
SIM or mobile handset. ( JAVA based mobile application)
Server Side Technologies: applications built on a server,
away from the consumers SIM or Mobile handset. (USSD)..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS - SECURITY FEATURES

INITIATIVES BY BANK
Authentication data (PIN/User-ID) is encrypted and stored
in the SIM / Memory of mobile.
Authentication data is stored in an encrypted format in the
application server from where it is transferred to the
SIM/Mobile Application. Minimum 6 character customer PIN.
All transactions (fund based and enquiry based) are allowed
only after authentication of the user id and the PIN
associated with it.
The PIN sent to the customer through SMS is valid only for
the first login and the customer is prompted to change the
PIN at the first login itself..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS - SECURITY FEATURES

YOUR SUPPORT

Lock your phone with a PIN or password when not in use.

Always Keep your mobile device in a safe location
Avoid using Mobile Banking in crowded place. Shield the mobile
keypad from onlookers while entering the user-id and the mpin
SBI never asks for your personal information like account
number, User ID or MPIN. Never disclose your personal
information over text message to anyone or to any number
seeking such information.
Download the Mobile Banking application only from the Banks
site www.sbi.co.in, click on Services Mobile Banking or the
WAP link that you received along with the User ID..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS - SECURITY FEATURES

YOUR SUPPORT
Maintain the secrecy of your MPIN. Memorise your MPIN.
Dont write it down/ record it anywhere or share it with
anyone or store it in your mobile phone.
If the mobile phone or SIM is lost immediately deregister from
Mobile Banking at your nearest State Bank Group ATM or your
home branch. Call your mobile service provider to block your
SIM
Change your MPIN at regular intervals. Use complex
alphanumeric MPIN
For using Mobile Banking service over WAP, never click on any
links. Always type in http://mobile.prepaidsbi.com/sbiwap/
in your mobile browser..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS - SECURITY FEATURES

YOUR SUPPORT
Check your linked accounts on a regular basis
Once your transaction is over, logout of WAP mobile
banking website and then close the browser.
Delete any SMS from the Bank that might contain your
personal information like, userid, MPIN received at the
time of registration, or details sent to you -.
Do not part with your ATM card and PIN as this may be
misused for Mobile banking registration..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

MBS INCIDENT MANAGEMENT

In the event of customer reporting loss of

mobile device, mobile banking service is
deactivated either by the customer from the
Banks ATM or from the Branch..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Promoting Information
Security

Overall Key Message

Security mindset

Responsible use

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Our Commitments
I believe...
Strong information security, will help our bank to
use technologies effectively. It will also help in

maintaining our image, as the most reliable and

trust worthy bank in India..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Our Commitments
I understand.
The importance of information security and agree
to take all reasonable precautions, to protect the

information assets of the bank..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Our Commitments
After attending this session

I know my role in maintaining information

security in my work environment. I am aware
that the rules mentioned, cannot cover all
practical situations that might occur. I will
therefore do my best, to interpret them in the
right spirit i.e. in the way I believe a responsible
user will act..

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Thank You