IT SECURITY PROCEDURES AND

GUIDELINESADRIJA SEN

INTRODUCTION

Major advantage of computer – data storage.

All data and information stored.

Minimizes paper work.

Networking of branches and banks provide service through internet or mobile.

Expose the data across the globe.

Serious problem relating to data integrity and security.

OBJECTIVE OF PROVIDING DATA SECURITY

1. To guarantee a certain level of availability of services.2. To guarantee the integrity of the data exchanged and

stored.3. To guarantee the confidentiality of the data

exchanged and stored.4. To guarantee the authenticity of the user.5. The data and the systems can be audited whenever

required and generate sufficient audit trails to detect any misuse

THREATS

Accidental damages (beyond one’s control)

Environmental hazards,

Errors and Omissions.

Malicious damages (more serious nature)

ACCIDENTAL DAMAGESMost common cause to computer installations, equipment and data.ENVIRONMENTAL HAZARDS

Spikes in power and improper grounding (earthing).Excessive humidity, water seepage and the floods.Radio transmissions affecting data transmissions.

ERRORS AND OMISSIONSSystem design and process development.Program maintenance and while carrying out correction

procedures.Data entry at the time of terminal operations.

EFFECT OF ACCIDENTAL DAMAGES

Significant commercial consequences.

Required to pay a close attention to the planning of computerized systems.

Opportunities of fraud may arise because of poor systems design.

MALICIOUS DAMAGES

A computerized environment provides a number of new opportunities for fraudsters.

Primarily due to the ease with which fraudsters can hide their actions on computer systems

From disgruntled employees who wish to disrupt the service

From individuals with wrong intentions to use technology for perpetration fraud for financial gains.

EFFECT OF MALICIOUS DAMAGESInterruption in banking services.Services get affected immediately - links to automated teller

machines, POS or other electronic networks are brought down.

Insufficient processing capacity to cope with the additional load.

Lead to suspension of the banking facility unless adequate contingency plans have been specified and tested beforehand.

Consequential cost of serious system failure exceeds cost of replacing damaged equipment, data or software.

Loss of time.

FRAUDSSpecial program - utility program used to make

unauthorized changes to computerized records that bypass the normal control facilities built into the computer systems.

Unauthorized manipulation to programs or data that bypasses password is to remove the relevant files from primary location, transport these to another computer and returned after manipulation.

Unauthorized amendments made to the payment instructions prior to their entry into the computer system.

Unauthorized changes to programs made during routine development or maintenance which cause program to generate accounts or remove records of transaction.

CRYPTOGRAPHY (DATA ENCRYPTION)Encryption – To maintain secrecy.

Ensures message is not altered fraudulently or accidentally

Plain text

Cypher text

Public key – Known by all the business partners

Private key – User alone knows

SYMMETRIC KEY MECHANISM

ASYMMETRIC KEY MECHANISM

CRYPTOGRAPHY

Encrypt DecryptPlaintext

Ciphertext

Plaintext

User ServerC = EncryptK (P)P = DecryptK (C)

K K

Internet

SYMMETRIC KEY CRYPTOGRAPHY

Single Key – Secret Key, Private Key, Symmetric Key

Used for both encryption and decryption of message.

Sender and recipient must possess same secret key.

Not useful on large networks like internet.

Useful when network is very small and parties are already known to each other.

ASYMMETRIC KEY CRYPTOGRAPHYKEY – series of characters which is fabricated carefully using

numerical values to encode a message. – can be read by person in possession of that key or any other related key.

This type of cryptography is very powerful and uses public keys.

KEY SECRECY – Public key code are not the secrecy issues.

Private key must be secret and not shared with anyone.

Private key compromised – security is threatened.

COMPUTER SECURITY

COMPUTER SECURITY

Physical Security

Logical Security

Network Security

Biometric Security

PHYSICAL SECURITYIntrusion prevention – locking, guardingIntrusion detection

Disturbance sensorsBarrier detectorsBuried line detectorsSurveillance

Document securityPower protectionWater protectionFire protectionContingency planning

STEPS INVOLVED IN PHYSICAL SECURITY

Make complete and detailed inventory of all hardware and equipment.

Make use of alarm systems to prevent equipment being stolen.

Regularly take backup of all software, data and databases on a backup media.

Keep the backup in secure and protected place.Encrypt confidential data/information.Entry in office premises should be restrictedProper systems for identification of outsiders in the

premises.

DOCUMENT SECURITYPrepare inventory of all important records.

Identify persons responsible for different types of records.

Classify and store the records which are vital to the bank.

Dispose off all those records which are not required.

Transfer all important records to safe storage media.

Hard copies should be secured in plastic containers.

Off-site arrangement of storing all important records should be there

LOGICAL SECURITYRelated with software access control.Software resources and applications require to be protected.Barrier to be maintained between the users and software

resources.Access control to resources is based on 2 levels:-

AuthorisationAuthentication of authorised person.

Data Base Administrator (DBA) provides rights to different types of users to access particular software.

Authentication – Process of verification of identity of user who is going to login into the system.

Some computer systems provide special levels of security.Multi-access control – involved at

User level – Only authorised user can enter the programTerminal level – If user knows password of the system

itself, he/she can go further.Menu level – If the user knows the password for

reaching next level he can go further.File level – If the user knows the password to manipulate

file, only he/she can do soApplication level – If the user knows the password for

running the application, only he/she can do so

Internal access control – Involve particular information like date, time, identification of user, etc.

Limiting the number of unsuccessful attempt – System gets locked when wrong password is entered for specific number of times.

Limiting audit trail – Back up is created itself and even the access situations can be known.

Limiting access of the users to directories – Access of users limited only to particular directories or subdirectories or files and packages.

Encryption of data and files – Can be opened only through symmetric and asymmetric key.

NETWORK SECURITYData and resources are shared on LAN.Network requires great deal of security from intruders.Physical intrusion – When intruders has physical access to

nodes.- Can use computer to get the network.- Can remove peripherals from system- From one system, data can be sent to another system in unauthorised manner.

System intrusion – Intruder is a person, has some rights to use user account.

- If no proper checks in system, intruder may enter different packages to gain administrative advantages for which he is not authorised.

Remote intrusion – When intruder tries to penetrate a system from remote location across the network – Hacking.

BIOMETRIC SECURITYTechnique to measure physical characteristics which is

capable of verifying the identity of an individualTwo types:-

Physiological – More reliableBehavioural

Physiological Technology – involvesFinger or Hand Pattern Recognition – Highest level of

identification; mature and reliable technologyVoice recognition – Pattern of pronouncing words;

frequency characterisation and mannerism taken into account in these techniques.

Iris Recognition – Freshly taken video picture of iris is compared with stored template.

Behavioural Technology – Signature recognition

THANK YOU