Information Security Awareness Training For Users: Presentation by Sbiicm Hyd

Information Security Awareness
Training for Users
PRESENTATION BY SBIICM HYD
Security Myths
There is nothing important on my computer

Technology alone can solve the security
problems
I dont have anything to contribute in the
security of my computer..
PRESENTATION ON INFORMATION SECURITY SBIICM HYD
This could happen from my PC..!!
Critical data is accessible to others because I

have left my PC/terminal unattended
Virus infection in my machine brings down
the entire branch/administrative office
My account (User ID) is used to commit fraud
because my password is weak
Frauds undermine the image of my Bank..
Why IS Security Policy?
Need to establish Information Security

strategy to achieve
Confidentiality,
Integrity and
Availability of the information and
information systems.
Regulatory requirement RBI audit will
now cover IS Policy compliance..
Banks IS Security Initiatives
Establishment of Information Security

Department for development,
updation, dissemination & compliance
review of Information Security Policy
Centralized Anti-Virus solution
Firewalls & Intrusion Detection Systems
Compulsory flow of policy awareness
among end users to prevent / report
occurrence of incidents..
New IS Policy Version 3.0
Approved by ECCB in Sep11

Previous version 25 domains
New version 33 domains (8 new domains)
For end users all domains are not equally
important
Top priority area of IS Policy for majority end
users is Acceptable Usage Policy..
Acceptable Usage Standards
Desktop Usage
Antivirus
Laptop & other portable devices Security
Password Security
Internet Usage
E-mail Usage
Document & Storage Security
Incident Reporting
Information Security violations
Desktop Usage
Initiatives by Bank
Implementation of desktop Secure Configuration Document
Patching of operating system at Bank level
Your Support
Screen savers are for more than cute pictures, enable the screen
saver with password protection
Taking a break Log off before you leave
Done for the day ..Shut down and power off
Protect the confidential file with password
Do not enable remember my password option on your PC
Modems- when I connect to Internet, the world connects to me
Installing software- licensed version only and required for business
purpose..
Anti virus
Initiatives by bank
Centralized anti-virus product/support team

Automated real time scan of all files
Automated virus signature update
Your support
Do not change anti-virus settings

Do not disrupt scheduled virus scan
Report if any virus is detected & not cleaned
Report if anti-virus agent is not working or not upto
date..
Key Idea I am responsible for the security of

my desktop or MPD
Use it as it is
Lock before you leave
Password Security
Passwords should be easy to remember but

difficult to guess.
Weak passwords
Your personal information like name, initials,

names of family members or their variations
Common words found in dictionary
Patterns like 1111, aaaa etc..
Password Security
Strong Passwords
Min 8 characters
Mix of numbers (1,2..), capital letters (A,B..) and special
characters (!,@..)
Make simple words complex H1m@l@y@
First letter of sentence J&Jwuth
Note: Do not use these examples as your passwords
Change your password
Frequently - at least every 90 days
Immediately if you suspect somebody knows it
User should report to the System Official if account is
locked out before 3 invalid attempts..
Password Security
Do not share your passwords

Do not type your password
When someone else can see you
and dont look when someone else is typing
Do not write your password
If required, ensure it is adequately secured and

adequately masked or scrambled..
Key Idea
I am accountable for all actions carried

out using my user-id/password.
Internet Usage
Initiatives by Bank
One central Internet gateway for all offices on SBIConnect

No separate Internet connection at SB-Connect
offices. Separate standalone connection permitted
with the approval of IT - networking dept only
Firewall, Anti-virus and URL filtering protection at
the gateway
User-id/password based access control
Bank has the right to monitor internet usage and
take appropriate action in case of misuse..
Internet Usage Guidelines
Access internet primarily for business purposes.

Occasional and reasonable personal use
Configure browser not to remember passwords
Set browser security to medium
Ensure that all downloads are scanned for virus before
opening
Users should not:
Download/distribute protected material
Access websites by clicking on links provided in
e-mails
Download free utilities - can be dangerous
Upload data belonging to the Bank
post views or opinions on behalf of the Bank on any
internet site without proper authorization..
Key Idea
The less I download and less I reveal, the

better off I am
Internet
E-Mail Usage
Initiative by Bank
Central E-Mail server
Your support
Save important mails for record purpose on your PC
Secure critical documents while sending over email
Zip the file with password protection
Verify From: address for important email
Exercise caution when clicking on Internet links provided
in e-mails
Do not use e-mail for critical transactions requiring legal

authentication of sender like payment or transfer of
money as it is difficult to legally establish the identity of
sender of email messages unless they are digitally
signed.
Do not send SPAM and chain mails..
E-Mail Usage
Use only official email ID for business purposes

Do not use official e-mail ID
For personal work
For registration on Internet sites
Exercise caution with email attachments
Attachments can contain viruses
Never open attachments from an unknown person
Even if the person is known, do not open
If mail subject or attachment have
doubtful/dubious names
If you are not expecting an attachment..
E-Mail Usage
Forward e-mails only if necessary

Do not forward spam mails / chain mails
Report spam to report.spam@sbi.co.in
Do not solicit, encourage or engage in non
business behavior
Do not send material or use language that is
abusive, obscene or racist
Do not transmit any software or document that
is protected by copyright or any other law..
E-Mail Usage
Email sent from official ID is equivalent to signed

official communication.
All official email communication should include
following details:
Subject - brief of the text to be sent, should not

be left blank.
Should contain name of sender along with

Designation, Department and Contact Number.
Should not be sent Anonymous or using generic

names like Designation or Department Name only.
Tag line or messages should not be used below

signature..
E-Mail Account Protection
Protect the account with a strong password

Do not share your password
Do not subscribe to mailing lists or social
networking websites from your official e-mail
ID leads to mailbox overflow
Do not post messages to internet newsgroups
or discussion boards avoid spam attacks
Do not provide e-mail IDs of colleagues to any
website, mailing list, newsgroup, etc..
Key Idea
My email is as official as Banks letter

head.
It can be interpreted to represent the
bank.
Document Storage & Security
Mark sensitive documents as confidential in

both print & electronic format
Do not leave confidential documents
unattended at any time
Adopt a clean desk policy reduce risk of
unauthorized access
Label removable media (Tape, CD, etc)
containing sensitive information as
Confidential..
Security of Information
Donot discuss sensitive information with

outsiders / employees who do not need to
know
Do not discuss sensitive information in public
places
Donot give out sensitive information over
email/telephone
Donot leave sensitive documents on your
desk/printer/fax/ public places..
Key Idea
If the information is confidential, treat it

with caution.
Incident Reporting Everybodys

Business
Report security incidents to
Local System Administrator/Service Desk

By e-mail to isd.cc@sbi.co.in
Possible incidents include..
Abnormal system resource usage

Abnormal, slow response for
application
Data corruption
Virus infection
Change in desktop settings
Account lockout
Violation of policy by others..
Security Violations
Connecting modems to machines without

approval
Introducing virus
Sniffing on the network
Password guessing
Computer impersonation
Erasing or modifying data on central systems
without authority
Running scans or attack tools..
Security Violations
Bypassing access control mechanisms

Exploiting any system vulnerability
Installing or distributing unlicensed software
Vandalism
Computer fraud or theft
Downloading or transmitting objectionable
content ( through e-mail or internet)..
Key Idea
Do not intentionally attempt to cause

harm to banks information systems
SECURITY IN APPLICATIONS
Core Banking
ATM
Internet Banking
Mobile Banking
Security in Core Banking
In B@ncs-24 system, there are three basic

entities:
User
Customer / Account
Transaction (Business Operation)
There are 3 security features available in

Core Banking:
1. Capability Level 2. Posting Restrictions
3. Data Security ..
User-id in Core Banking:
The user-id in Core Banking is same as the

employee's Provident Fund (PF) number, which
ensures its uniqueness.
For close monitoring, the User-ids are linked to
the specific branch code to which the user
(staff member) is attached.
Further validation is carried by checking
against the user's security clearance level for
i) user group, ii) application and
iii) transactions ..
Revised Password protection in

CBS wef 05.11.2011
The password should contain minimum 8 and

maximum 10 characters
Password should contain atleast one alphabet in
capital letter, one numeral and one special
character.
System will not accept last 5 passwords at the
time of changing password.
The User ID will be suspended whenever the user
tries to login with a wrong password thrice.
The User ID can be reset only by an authorized
officer and approved by another officer..
Access Control in CBS
User access validation is carried out by:

Sign-on / sign-off at terminal and operator
levels
User capability level and user group level
(after successful sign-on)
Branch location
Terminal numbers are allotted to all users and
while logging in, a user should use the terminal
allotted to him / her..
Access Control in CBS (contd..) :
If away from the terminal only for a brief period,

users should lock their system by accessing the
icon provided on the screen.
At Branches a User Control Register is available
to record the details of changes & amendments of
user types, capability levels, forced closures, user
resets etc. User Control Register should be
meticulously maintained.
All accesses by the authorized users are tracked by
the system..
Transaction Security in CBS
For all user-input transactions, including

reversals and correction entries and those in
intermediate accounts, vouchers should be
prepared.
All transactions put through by users that
require authorization are sent for authorization
in Queue with a unique queue number.
The system generates Trace No. / Journal No.
for all the committed transactions, at the Host
(CDC) which ensures a unique identity for each
transaction..
Security in ATM
Initiatives by Bank
Bankss ATM system is ISO 27001 certified
The physical security of ATMs is ensured by

access locks.
No one can enter the ATM kiosk without a valid

card.
Once inside the ATM, VSS (Video Surveillance

System) or DSS (Digital Surveillance System )
records activity..
SECURITY IN ATM
Logical security is taken care of by the PIN. It is

impossible for anyone to operate the account
without the physical possession of the card and
knowledge of the PIN. These kind of security
which relies on two factors (something you have
and something you know) is called two-factor
authentication and is more secure than log-in id
and password.
Our ATM network is secure and robust, to satisfy
the security triad of confidentiality, integrity and
availability..
Security in ATM
Your Support
Register your Mobile number at your Branch to get SMS alerts

for all your transactions
Change your PIN after first usage & periodically thereafter.
Never keep the PIN with the card. Never write it on the
card. Best to memorize it.
Dont use personal information like year of birth, vehicle no.
etc as your ATM PIN.
Hide keypad with one hand while keying in your PIN at ATM /
POS terminals.
Dont ask for help from strangers to operate the ATM.
Block and destroy your old card, when you get a new one..
Security in ATM
Your Support
Insist on swiping your card in your presence at POS

terminals in hotels/shops/malls etc. Do not disclose your
PIN
Do not throw your transaction slip in ATM room; it
contains your account details and balance.
Do not transact if you observe any attachments or
unusual devices connected to the ATM.
Check your account statement periodically.
If you lose your card, Hot list it immediately. Call 1800112211 / 1800-4253800 for BSNL and MTNL Landline or
080 26599990 from any other landline / mobile phone..
Security in ATM
Your Support
Do not provide ATM card & PIN details to any one, not
even to the Bank/ IBA/RBI/ Govt. Agency. Bank or any
other institution will never ask for this information.
Never disclose your PIN or handover your ATM card to
anyone, not even to your family members.
Do not use the ATM, if you feel the place is "crowded" or
unsafe. Come back later
Before using State Bank ATM-CUM-DEBIT Card for online
transactions, register for SBI 3D Secure Service available
through www.onlinesbi.com.
Dont leave the ATM until your transaction is complete..
SECURITY IN INTERNET BANKING
Initiatives by Bank
Verisign certified 256-bit SSL encryption
technology. ISO 27001 certified.
Addition of Third party : Secured & Unique
Multilevel password
Transaction in pre-defined accounts
Transfer up to defined limits
High Security option with SMS based password
Auto expiry of session
Virtual Key Board Facility
Stop payment of cheques online ( 8 to 8)
New feature - Lock User Access ..
Your support
Bank will never send you an e-mail asking you to submit

personal or financial information such as your username,
password, PIN number or credit card number.
Any e-mail which asks for such information is fraudulent
and should be deleted immediately. Any attempt to steal
personal information by sending fraudulent e-mails is
technically known as Phishing.
Do not be lured if you receive an e-mail promising you a
reward for providing your personal information and do
not be afraid if the email warns of an impending
penalty for non compliance..


Your support
Access OnlineSBI only by typing the URL:

www.onlinesbi.com in the address bar of your browser. Do
not click on links in any e-mail message to access the site.
If you receive any suspicious or fraudulent emails, forward
the same to us immediately at report.phishing@sbi.co.in
If you have accidentally revealed any confidential
information, report the same immediately at
report.phishing@sbi.co.in
If you receive an e-mail purportedly sent from a bank or a
trusted organisation, promising a reward or warning of
penalty for non compliance, verify its authenticity by
contacting the bank or the organisation..
MBS BASICS
Mobile banking model consists of four important components:

The Bank
Mobile Network Operator (MNO):
The Customer
Mobile Banking Technology Vendor (MBTV)
Mobile banking technologies can be categorized into two
environments:
Client Side Technologies: Built or embedded on a consumer
SIM or mobile handset. ( JAVA based mobile application)
Server Side Technologies: applications built on a server,
away from the consumers SIM or Mobile handset. (USSD)..
MBS - SECURITY FEATURES
INITIATIVES BY BANK
Authentication data (PIN/User-ID) is encrypted and stored
in the SIM / Memory of mobile.
Authentication data is stored in an encrypted format in the
application server from where it is transferred to the
SIM/Mobile Application. Minimum 6 character customer PIN.
All transactions (fund based and enquiry based) are allowed
only after authentication of the user id and the PIN
associated with it.
The PIN sent to the customer through SMS is valid only for
the first login and the customer is prompted to change the
PIN at the first login itself..
YOUR SUPPORT
Lock your phone with a PIN or password when not in use.

Always Keep your mobile device in a safe location
Avoid using Mobile Banking in crowded place. Shield the mobile
keypad from onlookers while entering the user-id and the mpin
SBI never asks for your personal information like account
number, User ID or MPIN. Never disclose your personal
information over text message to anyone or to any number
seeking such information.
Download the Mobile Banking application only from the Banks
site www.sbi.co.in, click on Services Mobile Banking or the
WAP link that you received along with the User ID..
YOUR SUPPORT
Maintain the secrecy of your MPIN. Memorise your MPIN.
Dont write it down/ record it anywhere or share it with
anyone or store it in your mobile phone.
If the mobile phone or SIM is lost immediately deregister from
Mobile Banking at your nearest State Bank Group ATM or your
home branch. Call your mobile service provider to block your
SIM
Change your MPIN at regular intervals. Use complex
alphanumeric MPIN
For using Mobile Banking service over WAP, never click on any
links. Always type in http://mobile.prepaidsbi.com/sbiwap/
in your mobile browser..
YOUR SUPPORT
Check your linked accounts on a regular basis
Once your transaction is over, logout of WAP mobile
banking website and then close the browser.
Delete any SMS from the Bank that might contain your
personal information like, userid, MPIN received at the
time of registration, or details sent to you -.
Do not part with your ATM card and PIN as this may be
misused for Mobile banking registration..
MBS INCIDENT MANAGEMENT
In the event of customer reporting loss of

mobile device, mobile banking service is
deactivated either by the customer from the
Banks ATM or from the Branch..
Promoting Information
Security
Overall Key Message
Security mindset
Responsible use
Our Commitments
I believe...
Strong information security, will help our bank to
use technologies effectively. It will also help in
maintaining our image, as the most reliable and

trust worthy bank in India..
Our Commitments
I understand.
The importance of information security and agree
to take all reasonable precautions, to protect the
information assets of the bank..
Our Commitments
After attending this session
I know my role in maintaining information

security in my work environment. I am aware
that the rules mentioned, cannot cover all
practical situations that might occur. I will
therefore do my best, to interpret them in the
right spirit i.e. in the way I believe a responsible
user will act..
Thank You

Information Security Awareness Training For Users: Presentation by Sbiicm Hyd

Uploaded by

Copyright:

Available Formats

Information Security Awareness Training For Users: Presentation by Sbiicm Hyd

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Awareness Training For Users: Presentation by Sbiicm Hyd

Uploaded by

Copyright:

Available Formats

Information Security Awareness

Training for Users

PRESENTATION BY SBIICM HYD

There is nothing important on my computer

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

This could happen from my PC..!!

Critical data is accessible to others because I

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Why IS Security Policy?

Need to establish Information Security

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Banks IS Security Initiatives

Establishment of Information Security

New IS Policy Version 3.0

Approved by ECCB in Sep11

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Acceptable Usage Standards

Centralized anti-virus product/support team

Do not change anti-virus settings

Key Idea I am responsible for the security of

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Passwords should be easy to remember but

Your personal information like name, initials,

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Do not share your passwords

When someone else can see you

and dont look when someone else is typing

Do not write your password

If required, ensure it is adequately secured and

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

I am accountable for all actions carried

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

One central Internet gateway for all offices on SBIConnect

Internet Usage Guidelines

Access internet primarily for business purposes.

The less I download and less I reveal, the

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Do not use e-mail for critical transactions requiring legal

Use only official email ID for business purposes

Forward e-mails only if necessary

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Email sent from official ID is equivalent to signed

Subject - brief of the text to be sent, should not

Should contain name of sender along with

Should not be sent Anonymous or using generic

Tag line or messages should not be used below

E-Mail Account Protection

Protect the account with a strong password

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

My email is as official as Banks letter

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Document Storage & Security

Mark sensitive documents as confidential in

Donot discuss sensitive information with

If the information is confidential, treat it

PRESENTATION ON INFORMATION SECURITY SBIICM HYD

Incident Reporting Everybodys

Report security incidents to