MANAGEMENT INFORMATION SYSTEMS (MIS) INFORMATION SECURITY POLICY MANUAL

Transcription

1 MANAGEMENT INFORMATION SYSTEMS (MIS) INFORMATION SECURITY POLICY MANUAL

2 PURPOSE OF THIS POLICY For the bank to safeguard information resources and to reduce risks to a prudent level requires effort. The spread of computing power to individual employees via personal computers, localarea networks, and distributed processing has drastically changed the way we manage and control information resources. Internal controls and control points that were present in the past when we were dealing with manual or batch processes have not been established in many of today's automated systems. Reliance upon inadequately controlled information systems can have serious consequences including: Inability or impairment of the bank's ability to perform its mission Inability to provide needed services to its customers Waste, loss, misuse, or misappropriation of funds Loss of credibility or embarrassment to customers Abuse or misuse of information leading into disclosure of sensitive information to competitors, criminals and other unintended recipients. Breach of the bank s information security controls This policy gives specific and detailed guidelines and measures to (a) avoid the consequences stated above; (b) effectively and comprehensively address security issues; and (c) assure an adequate level of protection for information systems whether maintained in-house or commercially acquired. SCOPE The contents of this management information systems security policy manual are applicable to all Information Technology Resources, Management Information Systems and Information in the form of hard or soft copy at all levels of sensitivity, whether information obtained, created, or maintained by the bank. This policy is mandatory to all organizational units, employees, contractors, consultants, temporaries and other workers of the bank, including those workers affiliated with third parties who access the bank computer systems and information of any form. Throughout this policy, the word worker will be used to collectively refer to all such individuals. This policy also applies to all automated technology, manual or electronic transfer of information currently in existence and to any automated technology or information systems acquired in the

3 future and to all computer and data communication systems owned by and/or administered by the Bank. This policy covers both accidental and intentional disclosure of, and or damage to, the bank information systems controls. POLICY I. Policy Management 1.1 Information Security Management Committee Until further notice, an information security management committee or its equivalent must be composed of senior officers or their delegates from each Bank s departments. This committee will meet regularly to: Review the current status of the Bank s information security Review and monitor security incidents within the bank Approve and later review information security projects Approve new or modified information security policies Perform other necessary high-level information security management activities. 1.2 Information Ownership And Management s Responsibilities All production information possessed by or used by a particular organizational unit must have a designated owner Owners must determine appropriate sensitivity classifications as well as criticality ratings Owners must make decisions about who will be permitted to access the information, and the uses to which this information will be put Owners must take steps to ensure that appropriate controls are utilized in the storage, handling, distribution and regular usage of information. 1.3 Assignment Of Responsibility For Information Asset Controls Management must specifically assign responsibility for the control measures protecting every major information asset (such as customer contact, customer ledger, financial information and other information databases identified to be important and sensitive). 1.4 Control Implementations Consistent With Standard of Due Care Management is responsible for implementing information system controls in a manner that is consistent with generally accepted business practice. In addition, the management is responsible for implementing these controls in a fashion, which is consistent with the criticality, value, and sensitivity of the information.

4 1.5 Allocation of Sufficient Resources To Address Information Security Management must allocate sufficient resources and staff attention to adequately address information systems security. 1.6 Information Security Budget The management to enforce information security must provide sufficient budget to keep security policy, procedure and guidelines consistently observed and practiced in the Bank. II. MIS Department Functions 2.1 Information Security is Every Worker s Duty Responsibility for information security on a day-to-day basis is every worker s duty. Specific responsibility for information security is NOT solely vested in the Management Information Systems Department Head. 2.2 Centralize Responsibility for Information Security Guidance, direction, and authority for information security activities are centralized for the entire organization in the MIS Department. 2.3 Overview of Task performed by MIS Department The MIS Department is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. 2.4 Specific Task Performed by the MIS Department The MIS Department must provide the direction and technical expertise to ensure that the Bank s information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it The MIS Department will act as a liaison on information security matters between the Bank and divisions or departments, and must be the focal point for all information security activities of the entire bank The MIS Department must perform risk assessments, prepare action plans, evaluate vendor products, participate on in-house system development projects, assist with control implementations, investigative information security breaches, and perform other activities which are necessary to assure a secure information handling environment. 2.5 Authority to Create Information Security Standards and Procedures The MIS Department has the authority to create, and periodically modify, both technical standards and standard operating procedures (SOP), which support this information security policy document. All new and existing systems standards, policies and procedures must be approved by the management or determined by the management if board of directors approval is necessary.

5 III. Password Security 3.1 Minimum Password Length The length of the password must always be checked automatically at the time that users construct or select them. All passwords must have at least eight (8) characters. 3.2 Difficult-To-Guess Passwords Required All user-chosen passwords for computers and networks must be difficult to guess. This means that passwords must not be related to one s job or personal life. For example, a car license number, a spouse s name, or fragments of an address must not be used This also means passwords must not be a word found in dictionary or some part of speech. For example, proper names, places, technical terms, and slang must not be used. Where such systems software facilities are available, users must be prevented from selecting easily guessed passwords. 3.3 User-Chosen Passwords Must Not Be Reused Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed. 3.4 Password Must Contain Both Alphabetic and Non-Alphabetic Characters All user-chosen passwords must contain at least one alphabetic and one nonalphabetic character. Non-alphabetic characters include numbers (0-9). The use of control characters and other non-printing characters is discourage because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities. 3.5 Anonymous User-Ids Unknown user-ids must not be assigned to users All user-ids must be readable that conforms ownership. First letter of the name and middle initial and full surname must be used as user-id. Example for Kris C. Aquino the user Id must be kcaquino User-id can also be an employee number, SSS number, TIN or other recognized unique identification numbers that is generally used and accepted that will identify a particular person. 3.6 Display and Printing of Passwords

6 The display and printing of passwords must be masked, suppressed or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. 3.7 Periodic Forced Password Changes All users must be automatically forced to change their passwords at least once every thirty (30) days. 3.8 Limit on Consecutive Unsuccessful Attempts to Enter a Password To prevent password guessing attacks, the number of consecutive attempts to enter incorrect password must be strictly limited After three unsuccessful attempts to enter a password, the involved user-id must be either (a) suspended until reset by a system administrator, (b) temporary disabled for no less that three minutes, or (c) if dial-up or other external network connections are involved, it must be disconnected. 3.9 Protection of Passwords Sent Through The Mail If sent by regular mail or similar physical distribution systems, passwords must be sent separately from user-ids. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside a secured, tampered proof envelope like PIN or Password Mailer that will readily reveal tampering Requisition Required for All users Forgetting Fixed Passwords Users who forgot or misplaced their passwords must request to the MIS Department the resetting and changing of existing passwords Storage of Passwords Must Not Be In Readable Form Password must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computer without access control, or in other locations where authorized persons might discover or use them Encryption of Passwords Password must always be encrypted when held in storage for any significant period of time or when transmitted over networks, communication facilities, or any form of electronic transmissions. This will prevent them from being disclosed to wiretappers, technical staff who are reading system logs, and other unauthorized parties Incorporation of Passwords into Software To allow password to be changed when needed, passwords must never be hard-coded (incorporated) into software developed by or modified by the bank personnel Changing Vendor Default Passwords All vendor-supplied default passwords must be changed before any computer or communications system is used for the bank s business Suspected Disclosure Forces Password Changes

7 All passwords must be promptly changed if they are suspected of being disclosed, abuse, misused or known to have been disclosed to unauthorized parties Writing Passwords Down And Leaving Where Others Could Discover Password must not be written down and left in a place where unauthorized persons might discover them Passwords Must Never Be Written Down Near Related Access Devices Users must never write down or otherwise record a readable password and store it near the access device to which it pertains. For example, a personal identification number (PIN) must never be written down on an automated teller machine (ATM) card or a vault combination must not be posted above the vault door Password Sharing Violations Regardless of the circumstances, password must never be shared or revealed to anyone else besides the authorized user. To do so exposes the authorized user to responsibility for actions that the other party takes with the password. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers, and other mechanisms Forced Change of All Passwords Whenever a system has been compromised by an intruder, system managers must immediately change every password on the involve system. Even suspicion of compromise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications Resignation And Suspension Of Employment Mean Termination And Suspension Of Access Resigned employee s access to all the systems must be terminated though the notice submitted by the Human Resources Department to MIS Department Access to the system of a certain suspended employee must also be suspended by the MIS Department after receiving notice from the HRD Group Access Through Common Passwords Computer and communication systems access control must be achieved via passwords, which are unique to each individual user. Access control to files, applications, databases, computers, networks, and other system resources via shared access or common passwords is prohibited.

8 3.22 Users Responsible For All Activities Involving Personal User-IDs And Passwords Users are responsible for all activities performed with their personal user-ids and Passwords. User-IDs may not be utilized by anyone but the individuals to whom they have been issued Users must not allow others to perform any activity with their user-ids Users are forbidden from performing any activity with IDs belonging to other users Administrator s Password Common to All Workstations All Workstations secured by an Administrators password must have common password to avoid problems and delays during setting up of devices and applications Administrator s Password, Security Keys and Other Access Codes Controllership Administrator s password must be controlled primarily by the Head of the MIS Department and by the appointed Systems Administrator(s) Password Setting must be determined and approved by the Head of the MIS Department Storage of Administrator s Passwords, Security Keys And Other Access Code Passwords, security keys and access codes must be stored in a hard copy form sealed individually in the enveloped with signature of the designated officers across the seal. Individual envelope must bear a control or serial number Control List must be maintained to control the inventory of passwords, security keys and other access codes Administrator s passwords, security keys and other access codes must be stored in the Safety Deposit Box (SDB) of Bank s own vault or other Bank s Vault for security SDB must be controlled by Head of the MIS Department and Head of the Internal Audit Division or at least two (2) officers appointed by the Management A copy of Passwords, security keys and other access codes kept in the Bank s own vault must be retrieved by the designated officers in case of emergency or as necessary for the operations of the bank Signing of Responsibility Statement Over the Use and Assigning of Password(s) And User-Ids Any worker uses passwords, security keys and other access codes with administrator s rights or its access equivalent must sign a responsibility statement.

9 IV. Login Process Controls 4.1 Positive Identification Required for System Usage All users must be positively identified prior to being able to use any multiuser computer or communications system resources. 4.2 Unique User-Ids and Password Required Every user must have a single unique user-id and personal secret password. This user-id and password will be required for access to the bank s multiuser computers and computer networks. 4.3 Security Notice in System Login Banner Required Every login process for multi-user computers must include a special notice. This notice must state: (1) the system is to be used by authorized users, and (2) by continuing to use the system, the user represents that he/she is an authorized user. 4.4 Notice of Last Login Time and Date At login time, every user must be given information reflecting the last login s time and date. This will allow unauthorized system usage to be easily detected. 4.5 Automatic Log-off Process If there has been no activity on a computer terminal, workstation, or any PC, for ten (10) minutes, the system must automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided the proper password. 4.6 Logging-Off PC Connected to Networks If personal computers (PCs) are connected to a network, when unattended the connection must always be terminated by the system automatically. 4.7 System s Limitation When there is a system s limitation to display security and warning messages, user must sign a document to serve the same purpose.

10 V. Systems Usage and Access Controls 5.1 Games May Not Be Stored or Used on Company s Computer Systems Games may not be stored on any computer system of the bank. 5.2 Personal Use of Computer and Communication Systems Bank s computer and communication systems must be used for business purposes only. Personal use is only allowed only be special permission or on a case-to-case basis. 5.3 Permissible Uses of Company Information Bank s information must be used only for the business purposes expressly authorized by the management. 5.4 Granting User-Ids to Outsiders Individuals who are not employees, contractor, or consultants must be granted a user-id or otherwise be given privileges to use the bank s computers or communications systems when the written recommendation of a department head (where the purpose or business has to take place) and approval by the Information Security Officer (or its equivalent) has first been obtained Outsiders who were given access to the system shall follow the same rules on password handling and user-id requirements Outsider s password must be suspended or terminated when not in used. 5.5 Third Party Access to Company Systems Requires Signed Contract Before any third party is given an access to the bank systems, a contract, defining the terms and conditions of such access must have been signed by authorized persons at the third party organization. Authorized personnel of the bank must also approve these terms and conditions. 5.6 Information Systems Access Privileges Terminate When Workers Leave All bank s information systems privileges must be promptly terminated at the time that a worker ceases to provided services to the bank on temporary or permanent basis. 5.7 Disclaimer of Responsibility for damage to data and programs The bank uses controls and other security measures to protect confidentiality, integrity, and availability of the information handled by computers and communication systems. The bank disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives. 5.8 System Logout Users must logout properly before leaving their computers.

11 5.9 Gaining Unauthorized Access Via Bank Information Systems Workers using the Bank information systems are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of the systems. Likewise, workers are prohibited from capturing or otherwise obtaining passwords, encryption keys, access cards, or any other electronic control mechanism, which could permit illegal entry Where to Use Computer System Access Controls All computer-resident information, which is sensitive, critical, or valuable, must have system access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable PDA and Other Mobile Devices Use for Corporate Business Information Personal Digital Assistants (PDAs), handheld computers, smart phones and other handheld devices must not be used for the Bank business information unless they first been configured with necessary controls and approved for such use by the MIS Department. Exceptions will be made for calendars, address books, to do tasks, and stored connection information such as telephone numbers. VI. User Controls 6.1 Signed Forms Required For Issuance Of User-ID Users must sign a confidentiality and information system security agreements and responsibility statement over user-id and password prior to being given a user-id allowing access to the Bank systems. 6.2 No Read and Write Permission to Access Sensitive Information Workers who have been authorized to view information classified at a certain sensitivity level must be permitted to access only the information at this level and at less sensitive levels Workers must not move information classified at a certain sensitivity level to a less sensitive level unless this action is a formal part of an approved reclassification process. 6.3 User Privileges Definition Management must define user privileges such that ordinary users cannot gain access to, or otherwise interfere with, either the individual activities or the private data of other users Users must not read, modify delete, or copy a file belonging to another user without first obtaining permission from the owner of the file. Unless general user access is clearly provided, the ability to read, modify, delete or copy a file belonging to another user does not imply permission to actually perform these activities.

12 6.3.3 All multi-user computer and network systems must support a special type of user-id which has broadly-defined system privileges. This user-id will in turn enable authorized individuals to change the security state of the systems Special system privileges, such as the ability to examine the files of other users, must be restricted to those directly responsible for system management and/or security. These privileges must be granted only those have administration capability The number of privileged user-ids must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes Without specific written approval from management, administrators must not grant privileges beyond the user job functions and responsibilities User-ID may be granted to specific user only when approved request is provided. 6.4 Naming Standard for A Single User-ID Used on All Platforms No matter how many systems they access, Bank workers must only one computer system user-id. Unless advance permission from the MIS Department Head has been granted, User-ID naming standard for user-id definition must be used User s First letter of Name, Middle Name Initial and full Surname must be used as the naming standard for user-id. Example for user-id of Kris C. Aquino must be kcaquino. unless systems and 6.5 Restricted Remote Administration of Internet Connected Computers Remote administration of Internet-connected computers is not allowed passwords are employed over encrypted links. 6.6 Logging And Reporting On Privileged User-ID Activity All user-id creation, deletion, and privilege change activity performed by administrators and others with privileged user-ids must be securely logged reflected in periodic management reports. 6.7 Restriction of Dial-Up Privileges In bound dial-up or in-bound internet privileges must not be given to users of the bank or third party unless the management determines that these users or third party individuals have legitimate business need to such access. These privileges must be enabled for specific individuals and only for the time period required to accomplish approved tasks. 6.8 Time Dependent Access Control All multi-user computer systems must employ positive user identification systems to control access to both information and programs. Beyond this basic access control, user activities must be restricted by time and day of the week. 6.9 Dormant User-IDs and Automatic Privilege Revocations All user-ids must be revoked automatically after thirty (30) days of inactivity.

13 6.10 Prohibition Against Testing Information System Controls Workers must not test, or attempt to compromise internal control unless justified with legal purpose and specifically approved in advance and in writing by the MIS Department Head Production Business Information Controls System privileges allowing the modification of production. Bank business information must be restricted to production applications Privileges must be established such that system user are not able to modify production data in an unrestricted manner. Users may only modify production data in predefined ways that preserve or enhance integrity. In other words, users must be permitted to modify production data ONLY when employing a controlled process approved by management System privileges must be defined so that non-production staff (internal auditors, information security officer, programmers, computer operators, etc.) is not permitted to update production business information All production business applications supporting multiple users must be secured by an access control system approved by the MIS Department Head Beyond that which they need to do their jobs, computer operations staff must not be given access to or permitted to modify production data, production programs, or the operating system Database Updates Must Be Made Only Through Established Channels Updates to production databases must only be made through established channels, which have been approved by management. The use of direct database access utilities in the production environment is not permitted because these programs will circumvent database synchronization and replication routines, input error checking routines, and other important control measures All Systems Access Privileges Cease When Workers Terminate All the Bank information systems privileges must be promptly terminated at the time that a worker ceases to provide services to the bank Maintenance of Master User-ID And Privilege Database So that the users privileges may be expediently revoked over a short notice, records reflecting all the computer systems on which users have user-ids must be kept up-to-date. VII. Administrative Controls

14 7.1 Who Must Comply With Information Security Requirements All employees of the bank regardless of his or her employment status, location and nature of work and position in the bank Outside consultants, contractors, and temporaries must be subject to the same information security requirements, and have the same information security responsibilities, as the Bank employees. 7.2 Designated Security Administrator for All Multi-user System Every Bank multi-user computer system must have a designated security administrator to define user privileges, monitor access control logs, and perform similar activities. For purposes of this policy, local area network (LAN) servers and private branch exchange (PBX) switches are considered to be multi-user systems. 7.3 Backup Security Administrator Must Be Designated And Trained Every multi-user Bank system with an access control system must have a designated employee who is responsible for user-id assignment and user access privilege control. This systems administrator must also have a designated and trained backup employee who can fill-in when necessary. 7.4 Each Department Must Have an Information Security Liaison Every department head must designate an information security liaison, and gives this liaison sufficient training, supporting materials, and other resources to properly perform his or her job. 7.5 Risk Assessments Required For Production Systems All production computer information systems must be periodically evaluated by the MIS Department or Information Security Management Committee to determine the minimum set of controls required and reducing risk to an acceptable level Information systems security risk assessments for critical information systems and critical production applications must be performed at least once a year. All major enhancements, upgrades, conversions, and related changes associated with these systems or applications must be preceded by a risk assessment as defined in the Risk Management Manual. 7.6 Compliance With Industry Specific Information Security Standards The Bank information systems must employ industry-specific information security standards. No exceptions are permitted unless it can be demonstrated that the costs using a standard exceed the benefits, or that use of standard will clearly impede the Bank s business activities. 7.7 Legal Framework For Information Security Policies The Bank acknowledges the complexity of legal requirements in Philippines and International Laws. Bank s information security policies were drafted to

15 meet, and in some instances exceeded the protections found in existing laws and regulations. If any of the Bank s information security policy is believed to be in conflict with existing laws or regulations, this observation must be promptly reported to the MIS Department. 7.8 Risk Acceptance Process And Permissible Exceptions To Policies Exceptions to information security policies will be permitted in rare instances where a risk analysis examining the implications of being out of compliance has been performed, where a standard risk acceptance request has been prepared by the responsible manager, and where this request has been approved by both the MIS Department and the Internal Audit Department. 7.9 Minimum Information System Controls Dictated By Standard Practice At very least, all the Bank information systems must include standard controls found in other organizations facing similar circumstances. Beyond this, the unique risks faced by the Bank must be addressed with customs solutions Adequate Information Systems Insurance Coverage Must Be Maintained Adequate insurance coverage must be obtained and kept in force for major threat facing the confidentiality, integrity, and availability of information handled by the Bank computer and communication systems Security Measures Must Be Enforceable Prior To Installation All information systems security controls must be enforceable prior to being adopted as part of standard operating procedure Outsourcing And Third Party Contracts All agreements dealing with the handling of the Bank information by third parties must include special clause. This clause must allow the Bank to audit the controls used for these information-handling activities, and to specify the ways in which the Bank information will be protected Before any third party users are permitted to reach the Bank systems via real-time computer connections, specific written approval of the MIS Department Head is required. Request for approval must specify the security related responsibilities of the Bank, the security related responsibilities of the common carrier (if used), and the security related responsibilities of all other involved third parties. These responsibility statements must also address the liability exposures of the involved parties The Bank s business partners, suppliers, customers, and other business associates must be made aware of their information security responsibilities via specific language appearing in contracts which define their relationship with the Bank All information-systems-related outsourcing contracts must be reviewed and approved by the MIS Department Head. It is the MISD Head s responsibility to make it sure that these contracts sufficiently define information security responsibilities, as well as how to respond to a variety of potential security problems.

16 It is also the MISD Head s responsibility to make it sure that all such contracts allow the Bank to terminate the contract for cause if it can be shown that the outsourcing firm does not abide by the information security terms and conditions of the contract Immediate reporting of suspected computer virus infestation Computer viruses can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, if workers report a computer virus infestation to the MIS Department immediately after it is noticed, investigation must be made immediately. However, if a report of a known infestation is not promptly made, and if investigation reveals that certain workers were aware of the incident, these workers will be subject for disciplinary action including termination Security Management for All Networked Computers Configurations and set-up parameters on all host attached to the Bank s network must comply with in-house security policies and standards Computer System Logs Must Support Audits Logs of computer security relevant events must provide sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures Regular Review of System Logs To allow proper remedial action, MIS Department must review records reflecting security relevant events on multi-user machines in a periodic and timely manner Naming Convention For Production Files A file naming convention or indicators must be employed to clearly distinguish between two files used for production purposes and those files used for testing and/or training purposes Separation Between Production And Development Environments Business application software in development must be kept strictly separate from production application software This separation must be achieved via physically separate computer systems Handling of Third Party Confidential and Proprietary Information Unless specified otherwise by contract, all confidential or proprietary information that has been entrusted to the Bank by a third party must be protected as though it was the Bank s confidential information Transfer Of Bank s Information To Third Parties The Bank software, documentation, and all other types of internal information must not be sold or otherwise transferred to any parties for any purposes other than business purposes expressly authorized by management.

17 7.21 Right Of Management To Examine Data Stored On the Bank s Systems All messages sent over the Bank s computer and communications systems are the property of the Bank. The properly maintain and manage this property, management reserves the right to examine all information stored in or transmitted by these systems. Since the Bank s computer and communication systems must be used for business purposes only, workers should have no expectation of privacy associated with the information they stored in or send through these systems Disclosure Of Information On the Bank s Systems To Law Enforcement By making use of the Bank s systems, users consent to all information they store on the Bank s systems to be divulge to law enforcement at the discretion of the Bank s management Disclosure of Customer Personal Information All customer records containing personal information that are in the possession of the Bank will be used only for the purpose directly related to the Bank business. Customer s information will be disclosed to outside parties only with the customer s permission or if the Bank has received either subpoena or court order Information gathered about customers or potential customers, such as phone number, and address, must only be used for internal Bank purposes The Bank is serious about customer privacy. Its information systems do not employ secret serial numbers, secret personal identification number, or any other secret mechanisms which might reveal the identity of, or activities of customers Disposal of Sensitive Information When disposed of, all secret, confidential, or private information in hardcopy form (paper, microfilm, microfiche, etc.) must be either shredded or incinerated Right To Free Speech Does Not Apply To Company Systems Bank computer and communications systems are not intended for, and must not be used for the exercise of the participants right to free speech. Management reserves the rights to censor any data posted to the Bank computer or networks. These facilities are private business systems, and not public forums, and as such do not provide freedom of speech Right To Remove Offensive Materials Without Warning The Bank retains the right to remove from its information systems any material it views as offensive or potentially illegal.

18 7.27 Telephone Book and other Contact Details Containing Restricted Information Internal telephone books and other contact details must not be distributed to third parties without specific authorization of the management. Contractors, consultants, temporaries and other third parties working for the Bank may, of course receive contact details in order to perform their jobs. VIII. Software Controls 8.1 Acquisition, Installation And Registration Acquisition of software from third party vendors should pass through an evaluation process by the management for its relevance into the operations of the Bank Installation of software must be approved by the Head of the MIS Division to prevent from computer virus attack, system spying, configuration conflicts and other problems associated with the installation All software acquired from third parties should be registered using website, by phone or by mail. This will enjoy some benefits offered by this software vendors like free upgrade, update, technical supports and promotions Documentation, licensing agreement, warranty, manual and guides, after sales support are a primary requirements for third party software Software procurement via standard purchasing channels to assure compliance with the information security standards. 8.2 Development And Documentation In-house developed software should pass through a pre-evaluation process and standard developing procedure like standard coding systems, database management systems, naming standards, and other forms of standardization accepted by the industry or as adopted by the Bank. Documentation must cover both business and technical references. 8.3 Recording And Keeping The Manual And Guide Software licenses, manual, guides, drivers should be kept in a form of a library or in the Bank s Library for safe-keeping, monitoring and inventory control. 8.4 Software Testing With Sanitized Rather Than Production Information Unless written permission is first obtained from the MISD Head, all software testing for systems designed to handle private information must be

19 accomplished exclusively with sanitized production information. Sanitized information is production information which no longer contains specific details that might be valuable, critical, sensitive, or private. 8.5 User Installation or Upgrading of Software On Personal Computers Is Prohibited Users must not install software on their personal computers, network servers, or other machines without first receiving advance authorization to do so from MISD Head Users are prohibited from installing new or upgraded programs on their workstations. This process will instead be done centrally by systems administrators through an automatic network download or authorized by the MISD Head. 8.6 Loading External Programs Onto Network-Connected Computers Users may not place any computer program developed outside of the Bank on their on Microcomputers (PCs), on their workstation, on network servers, or on computers connected to the network unless this program has first been approved by the Head of the MISD. 8.7 Testing Externally-Provided Software Prior to Use Executable programs (software object code) provided by external entities must be tested before installation on any of the Bank production system. Program statement listings (software source code) provided by external entities must be visually reviewed prior to compilation, and then the resulting executable programs must be tested before installation on any of the Bank production system. Such testing and examination must be consistent with the Bank standards and must also be properly documented. 8.8 Free Software May Not Be Used For Production Applications Software which supports production business application (including operating systems, web browsers, and utility programs) must either developed in-house, or obtained from a known and reliable third party vendor. Free software (also known as shareware) is not permitted unless specifically evaluated and approved by the Head of the MISD. 8.9 Unlicensed Application Programs Must Not Be Installed All small systems (client/server systems, local area networks, personal computers, etc.) must use approved software license management software. Besides detecting unauthorized copies of third-party software, these license management systems must be configured to detect new and/or modified application programs developed by end-users. In the event of using unlicensed software, the Bank may be exposed into legal problems and copyright violations Control Over Movement Of Software From Development To Production Business application development staff must not have the ability to move any software into the production processing environment Special Approval Required for Production For Production Software Package Changes

20 Modifications to vendor-provided application software must be made only after first obtaining written permission from the head of the MISD. If modifications have been approved, prior to being placed into production, the altered software must be documented, tested, otherwise follow change control procedures used for application software developed in-house Production Software Conversion Contingency Plans Whenever cut-over to new or significantly modified production software introduces potential problems which could cause a substantial loss to the Bank, special procedures are required. In these cases, management must prepare a conversion-related contingency plan which reflects ways to insure continued service to potentially-affected users Vendor-Provided Written Integrity Statements If procurement of third party services is being considered, management must obtain a written integrity statement from the involved vendor. This statement must provide assurances that the services is question does not contain undocumented features, does not contain hidden mechanisms that could be used to compromise the services security, and will not require modification or abandonment of controls found in the system under it serves Software Licensing Agreements The agreements for all computer programs licensed from third parties must be periodically reviewed for the Bank compliance Whenever bundled systems are being procured, the source must provide written evidence of the software license conveyed Third party software in the possession of the Bank must not be copied unless such copying is consistent with relevant license agreements and either: (a) management has previously approved of such copying, or (b) copies are being made for contingency planning purposes Tools Used to Break Systems Security Prohibited The Bank software, documentation and all other types of internal information must not be sold or otherwise transferred to any non-bank party for any purpose other than business purposes expressly authorized by the management Use of Most Current Computer Operating System Versions, Patches and Updates To take advantage of the recent security improvements and products enhancements, after a delay of several months, the Bank must use the most recent version of all multi-user computer operating system Latest Software Release On Systems Interfacing External Networks To help ensure that attackers don t utilize the newest penetration methods against the Bank systems, all systems interfacing external networks (Internet firewalls, internet commerce server, dial-up banking, etc.) must be running the latest versions of the vendor-supplied operating software.

21 IX. Hardware Controls 9.1 Hardware Procurement Via Standard Purchasing Channels To assure compliance with the information security standards, all hardware, must be procured through standard purchasing channels. 9.2 Pull In and Out of Hardware and Other Information System Equipment All incoming and outgoing hardware and equipment must be supported with receipt, transmittal form, gate pass and other type of proof of its legitimate movement. 9.3 Hardware Inventory All computers, communication equipments, and other computerization systems related hardware must have a comprehensive inventory system to monitor and account its location, cost, movement, usage and accountability Hardware and equipment must have an updated property tags to account its existence during the physical inventory. 9.4 Use of Computer Systems Belonging To Workers On Company Property Workers must not bring their own computers, peripherals, and other equipments into the Bank facilities without prior authorization from their department head. X. Backup, Storage, Disposal and Disaster Recovery 10.1 Backup Control List The bank must maintain an updated Backup Control List to identify data that needs to be backed up Backup Control List must be prepared in a per department, unit and branch basis Backup Control List must clearly state the level of importance of the backup and its inclusion into the backup for disaster recovery Backup and Warehousing Access Restrictions Because the data warehouse and libraries contains sensitive information, access is restricted to the Bank top and middle management or as authorized by the management Use of Labels to Backup Disk and Other Storage Media

22 If information is either secret, confidential, or private, all instances in which it is displayed on a screen or otherwise presented to a computer user must involved an indication of the information s sensitivity What Data To Backup And Minimum Backup Frequency All critical business information and critical software resident on the Bank computer systems must be periodically backed-up. These backup possesses must be performed daily or as needed, with sufficient frequency to support document contingency plans and backup requirements Access Control For End-User File Restoration Process End-users must not be given the ability to restore their own files. All restoration processes must be performed by a system administrator Encrypting Backup Media Stored Off-Site To prevent it from being revealed to or used by unauthorized parties, all sensitive, valuable, or critical information recorded on backup computer media (magnetic tapes, floppy disks, optical disks, CD, etc.) and stored outside the Bank offices must be encrypted or password protected Management Review Of End-User Backup Process Division managers or their delegates must make sure that proper backup to the main server of sensitive, critical, valuable data are being made in such data is resident on microcomputers (PC), workstations, or other small systems Specification Of Backup Process And Frequency Incremental backups for all end-user files must be performed by the onduty administrator before the end of the day (EOD) process each business day. An exception to this will be each Friday (or if this is a holiday, the first business day thereafter) when a full backup of all times must be performed Users Notified That All Data Is Routinely Backup To prevent accidental loss, all files and messages stored in the Bank systems are routinely copied to tape, disk, and other storage media Make At Least One Copy of Critical Backed-Up Files Prior To Use Critical data which have been backed-up must not be used for data restoration purposes unless another backup copy of the same data exists on different computer storage media (tape, disk, smart card, CD-ROM, etc.). If a computer virus or other software problems are suspected, the additional backup copy should be made on a different computer. This policy will prevent the only current copy of critical backup data from being inadvertently damage in the process of restoration Monthly Archival Backups Required For All Critical Information Critical business information and critical software must be backed-up onto archival storage media and kept for at least a year. These backups must be made every calendar quarter or more frequently if required by a relevant written contingency plan Off-Site Storage Of Backup Media

23 Backups of essential business information and software must be stored in an environmentally-protected and access-controlled site which is a sufficient distance away or as dictated by the written contingency plan from the originating facility to escape a local disaster Off-Site Backup Systems The Bank must create and maintain an offsite Backup Systems and Application ready to run as production systems in the event of disaster Procedure for Release Of Equipment, Demo Unit, Media To Third Party All the Bank information systems equipment or storage media which has been used for the Bank business is provided to any third party, the equipment or media must first be physically inspected by the MIS Division to determine that all sensitive information has been removed Disaster Recovery Procedures The bank must develop a comprehensive and functional disaster recovery procedures aligned to the offsite backup systems setup, contingency plans and existing policies and procedures Documents pertaining to Disaster Recovery procedures must be kept in a secured place outside the building of where the production systems are located. Another copy must be available on the offsite backup systems location Documents related to the Disaster Recover must be updated as updating the production systems itself and its documentations Disaster Recovery procedures must be tested once a year to ensure reliability and successful recover Department Heads Must Identify Vital Records Department managers must identify and maintain a current list or control document of the vital records that their department needs to restore operations following disaster Archival Of Information All archival backup data stored offsite must be reflected in an up-to-date directory which shows the date when the information was most recently modified as well as the nature of the information Regular Review of Backup Data Through Auditing Procedures All backup as specified in the Backup Control List in the all departments, units and branches must be included in a regular or compliance auditing procedures performed by the Audit Division. XI. Personnel Controls 11.1 Information Security Responsibility