The document “Information Security Policy Framework” focuses on strategy and roles for implementation security policy in “Dubai Islamic Bank”. Information Security has become and important aspect for the financial institution especially for a bank to protest critical information resources. The importance of this fact needs to be clearly highlighted so that adequate measure can be implemented to ensure that acceptable level of security is in place at the systems and networking level.
The policy also addresses the password security guidelines for effective management of passwords associated with user and administrative profiles, network devices and other specialized peripheral devices associated with the infrastructure. Responsibility of the Employees The information security policy should be completely read and its importance should be understood. In case of any queries, write letter to concerned department head. Keep corporate information confidential; don’t share this information with people outside DIB.
Maintain confidential of your password. Only you are accountable with all the activities associated with your profile. Be observant look for suspicious activities in your area and report it to your manager for corrective actions. It is the responsibility of every individual to comply with this policy. Non compliance may result in disciplinary action. Components of security policy: The major components of security policy are: ? Risk analysis – identification of critical assets ? Risk management – protection of identified assets.
The objective is to make sure that employee’s of the bank should know their roles and responsibilities in protection of information assets and to emphasize the importance of having secured communication. Risk analysis – critical business applications As all functions of DIB are automated, downtime of any system has a direct implication to efficiency and working. Some systems are mission critical as they impact directly to customers. Mission critical application are mentioned as follows, in order of priority. ? Core banking application ? Electronic messaging
Risk management Risk management is the process of identifying potential threats. Protection of information resources Information resources including customer information or other critical system parameters should be protected from accidental or intentional modification or disclosure. This includes loss of information physically and logically. Information should be classified with the level of risk associated with it by the business owners. Once the information is classified, appropriate controls should be implemented to protect the information.
Internet Security Internet access would be granted to users for business purpose only. Paper information security Confidential information such as account statements, reports, ledgers or customer related information, security policy, corporate policy and procedure etc should be retained in a secure and locked cabinet. Information such as software license or maintenance agreements or information that is highly confidential should be kept securely in safe or fire proof cabinet with combination lock enabled. Never leave your desk unattended for long hours.
While dispatching memos / letters internally, It should be marked as “Confidential” with recipient name and address and should be sealed in an envelop. Information security administration Information technology division reserves the right to assign or revoke user permissions based on approved request and conduct entitlement review. Security officer should be assigned to conduct this task in segregation. The security officer not is involved in performing any transactions that conflict with the security administration function.
Security officer is required to review security audit logs, exception handling reports and document any unusual or suspicious activity. Compliance Dubai Islamic branches and corporate office divisions are required to ensure compliance as per the rules and guidelines mentioned in security policy. Divisional heads should have a formal documented process to conduct self-assessment on semi annual basis. These results should be communicated to risk management ream for mitigation activities.
Audit and implementation division should reference the security policy while conducting internal audit of branch / divisions. System and operations division should ensure compliance for all the functional unit areas of Dubai Islamic bank. Conduct self-assessment and periodic checks that regulatory and central bank requirements are being adhered to. A process should in place to make sure that whenever a new project is launched, concerned division will ensure and verify that security controls are implemented at the initial phase of the project.
Human resource division includes security awareness program as an integral part of training IT quality assurance and compliance manager will ensure compliance of this policy for all systems and technology related platform. Self-assessments and review will be conducted to validate that relevant processes are in place. This unit are will also circulate letters to create awareness among users to follow the security policy and abide by the rules and regulations as defined. In case of any incident or malicious or fraudulent activity, inform your respective manager and divisional head IT for further investigation.
Social Engineering Social engineering is the human action of breaking the security. Users should be careful while talking within and outside the organization. Information security can be violated very easily or may fail, if an employee gives away confidential information whether intentional or unintentional. Employees should be careful while talking on telephone and answering questions with unknown recipient or replying back an unknown email message. If a user is not sure whether to answer such a question, he/she should consult the line manager. Information sharing
Confidentiality of information should be maintained. This includes information such as PIN codes, TPINS, passwords, customer’s financial statements, bank’s budgetary statements, cash positions are all treated as confidential information and should not be shared among employees. Avoid reading confidential documentation in a public area. The classification for confidential and public / shared information should be classified by information owners. Information that is required to be shared can be circulated in the form of letter or policy document or can be uploaded on internet.
Access rights should be implemented so that unauthorized people does not go through the information that is meant for some specific people. Employees can share information only if they have valid business reason. Installation of software applications Application / software installed on corporate systems should be licensed. Unlicensed software should not be installed on any system. all software installations would be carried out by the IT support staff by ensuring first that the said software fulfills the obligations of software licensing.
For third party software installations, the IT support staff would accompany such individuals with prior scheduling and reviewing all hardware requirements and post implementation impacts. Users would be restricted from downloading and installing software, freeware and shareware or evaluation copy of software on corporate laptops / workstations. This increase the chance of installing virus or Trojan thus compromising critical corporate resources. Only standard corporate software on approved list should be installed and accessed.
In case there is a requirement to install application other than approved software then deviation should be filed and approved by divisional head IT and subsequent approvals from group head IT. Users are not allowed to download and install flashy screen saves and desktop backgrounds, only windows default settings should be used. User of external media Domain recipients are not allowed to connect personal laptop or workstation on the DIB network. Only corporate equipment should be connected on corporate network. Any such attempt would be taken up as an attempt to sabotage the network.
Use of removable media such as floppy disk, CDs, DVDs, flash drives via USB port or any other external media on DIB domain is strictly prohibited. In case if there is any business requirement the same may be forwarded to the information technology division or for scanning and uploading of document in a shred folder with restricted access rights. Use of modems of any sort on the corporate workstations/ laptops and dialing out via internet over corporate network is strictly prohibited. Should there be business requirements to do so; the said workstation would NOT be allowed to connect to the corporate network.