Policy #1 - Justifying and Acquiring Computers |
Procedure #1 - Justifying and Acquiring Computers |
Justification |
Acquisition |
Policy #2 - Implementation of Software |
Procedure #2 - Implementation of Software |
1. | |
Satisfy the perceived need of the user. | |
2. | |
Be properly documented in accordance with established standards. | |
3. | |
Provide for proper controls, file backup; and retention. | |
4. | |
Utilize a A business expert @ from the User Department to work with the Information Systems Department. |
Policy #3 - Copyright Protection |
Procedure #3 - Copyright Protection |
Policy #4 - Physical Security for Corporate Information |
Procedure #4 - Physical Security for Corporate Information |
1. | |
Users should store data, whenever possible, to their default directory which maps to a corporate fileserver (i.e., f:\private\username) |
2. | |
Users of stationary computers should not purposely store data to their computer= s local hard drive. The backup of local hard drives is not the responsibility of the Information Systems Department. |
3. | |
Notebook users are responsible for the physical safety of the notebook and the information stored on it. Power-on Passwords may be utilized or the Information Systems can install a third-party application for password protection utilization. |
4. | |
If a notebook computer is used outside the bank, data files saved to the local hard drive (C drive) should be re-saved to F:\private\username when the notebook is brought back into the bank. I.S. personnel are not responsible for data backups on local hard drives. |
5. | |
For application software with password protection, passwords should be committed to memory and changed at frequent intervals. | |
Policy #5 - Virtual Security for Corporate Information |
Procedure #5 - Virtual Security for Corporate Information |
Border Manager Server - | |
The Internet is considered the bank= s most significant potential point of entry. To offset (and nullify) the risk of outside intrusion, the bank has Novell = s Border Manager installed on a fileserver as a firewall. The Border Manager software program utilizes NAT (Network Address Translation) which masks or hides the bank = s internal computers from the A outside world. @ All the bank = s Internet users access the Internet via the Border Manager Server, and use NAT. |
To/From Internet: | |
WebAccess Server - | |
The WebAccess Server hosts the bank= s GWIA (GroupWise Internet Agent) and our Web Server for web based access to GroupWise. This server is in a DMZ (De-Militarized Zone) with limited exposure to the Internet and is protected by the bank = s firewall. |
Vulnerability Testing - | |
The bank utilizes the services of Aimnet Solutions to perform semi-annual vulnerability tests of the bank= s internal network (including the Firewall, the Web Access Server, the Internet Router, the bank = s website and its inventory of modems.) As part of the audit, a comprehensive report is produced that is utilized by I.S. management to ensure that adequate steps are taken to prevent security breaches by hackers and others that might attempt to launch hostile attacks against Xxxxxxxxxxx = s systems. |
Intrusion Detection - | |
The bank utilizes a network-based Intrusion Detection System (IDS) by AXENT Technologies, Inc. This system utilizes two separate modules that reside in front of and in back of the bank= s firewall detecting and reporting on common operating system attacks that may come from the Internet or from inside the bank = s environment. Two members of the I.S. team will be trained in the specifics of this system and will be notified (via text-based pagers) should the system detect an abnormality. |
Virus Protection - | |
Virus protection is utilized on the Internet Gateway, all bank fileservers and all user workstations and/or notebook PCS. Virus protection is covered thoroughly in Policy #11. |
Data Encryption - | |
The bank= s standard for data encryption is PGP (Pretty Good Privacy.) All users are instructed to utilize this technology when sending confidential information as an e-mail attachment. This subject is covered thoroughly in Policy #13. |
Retail Branch Servers - | |
Each of the servers in the bank= s retail branch locations has a direct connection to NCR via its frame relay network, creating a possible point of entry at each branch. NCR runs a firewall protecting both themselves and their clients from intrusion. |
Modem Pools - | |
The bank utilizes one modem pool as a means to provide a cost-efficient alternative to modem usage. The modem pool utilizes Novell= s Netware Connect product. The modem pool is configured for A auto-answer = no @ as this modem pool is used exclusively for outgoing calls. Incoming callers, when enabled, are presented with a 1) Netware Connect Password, 2) PC-Anywhere Username and Password, 3) NetWare Username and Password. |
Action Team - | |
Xxxxxxxxxxx believes its data security strategy - via the above-mentioned complement of products and processes - is designed effectively and provides the bank with a secure architecture for customer and employee information. |
7) The Chief Operating Officer will be the liaison between IS management and the bank = s Board of Directors in reporting the incident, the response, the repair and possibly the prosecution of the guilty individual/s. | |
Policy #6 - Data Backup |
Procedure #6 - Data Backup |
Backup Procedure |
Policy #7 - Data Recovery |
1. | |
A more recent or current backup copy has been made and the copy in remote storage is out of date. |
2. | |
A disaster has occurred causing data to be inadvertently destroyed. |
3. | |
The data on the backup media is no longer considered to be critical to the operations of the department and/or the bank. |
Procedure #7 - Data Recovery |
1. | |
The Disaster Recovery Coordinator must be notified that a disaster has occurred. |
2. | |
The media must be made A write protected. @ |
3. | |
Once the backup media has been used to recreate the lost data, it must immediately be returned to the off-site location. | |
Policy #8 - Computer Maintenance/Repair |
Procedure #8 - Computer Maintenance/Repair |
1. | |
At the time of failure, the user should make every effort to document the failure as clearly and completely as possible. |
2. | |
After the failure is properly documented, the user should contact the Information Systems Department (i.e., Enterprise Support Line or the Retail Branch Support Line) and report the failure. |
3. | |
The Information Systems Department will place a service call with the appropriate vendor. |
4. | |
In instances where the use of the computer is critical to the operation of the bank (typically a retail branch), the Information Systems Department will make reasonable effort to minimize work interruption due to equipment failure by attempting to provide loaner equipment for the user. | |
Policy #9 - Internet Usage | |
(This policy is resident in its complete form in Xxxxxxxxxxx = s Personnel Handbook which | |
is issued by the Human Resources Department.) |
Procedure #9 - Internet Usage |
Policy #10 - E-Mail Usage |
(This policy is resident in its complete form in Xxxxxxxxxxx = s Personnel Handbook which is issued by the Human Resources Department.) |
Procedure #10 - E-Mail Usage |
Policy #11 - Response to Computer Viruses |
Fileservers - | |
Mcafee= s Netshield is running on all corporate fileservers as an NLM (Network Loadable Module.) Virus detection files are kept current via Mcafee = s backweb technology on Enterprise Fileservers. Retail Branch Fileservers are kept current by a manual copy of the most recent virus detection file. If a virus is detected, the network supervisor is notified. |
Internet Gateway - | |
Guinevere (from Indecon), a Novell partner, is installed on the Internet Gateway on the Groupwise E-Mail Server. It scans incoming and outgoing E-Mails (and attachments) for viruses and A returns to sender @ any message with an infection. The intended recipient is notified that a message and/or attachment addressed to them was infected, detected by Guinevere and returned to the sender. If a virus is detected, the network supervisor is notified. |
Workstations - | |
Mcafee= s Vshield is running on all corporate workstations. The Vshield version and virus detection files are kept current via a program developed by Mcafee. This program file is E-mailed to users with instructions as to how to execute the program. |
Procedure #11 - Response to Computer Viruses |
1. | |
Users should immediately cease to use the computer on which the virus is detected. Power the computer OFF. |
2. | |
Contact the Information Systems Department immediately. |
3. | |
The Information Systems Department will take appropriate corrective action to include a quarantine of the suspect system and the use of A vaccine @ software. |
4. | |
The Audit Department will be notified of the incident and any corrective action that was taken. | |
Policy #12 - User Support |
Procedure #12 - User Support |
Policy #13 - Data Encryption |
Procedure #13 - Data Encryption |
Policy #14 - Local Area Network (LAN) Access |
Procedure #14 - Local Area Network (LAN) Access |
Xxxxxxxxxxx | |
Third Party Applications/Programs - Risk Assessment |
Overview: | |
Risks associated with the bank= s third-party applications are reviewed annually by the I.S. Manager and the appropriate business unit managers. Access to (and removal from) 3rd party applications are kept current via cooperation between human resources personnel, IS personnel and the 3rd party application administrators (see Exhibits D and E - forms utilized to remove or re-evaluate users and access to particular third-party applications.) Risks are minimized by the bank = s use of various electronic and physical safeguards that seek to protect all network applications from internal and/or external threats. These safeguards are outlined - in detail - in the bank = s Information Systems Policy and are included in the bank = s Information Security Program (which is an addendum to the bank = s Privacy Policy.) |
Assessments: | |
Important: | |
Two components of the Baker Hill One Point suite of software are licensed and utilized by Xxxxxxxxxxx. They are STAN and REACT. STAN automates financial analysis and projections, while REACT is used for exception tracking. The Baker Hill application resides on a Novell Network Server and is accessible to members of the Commercial Loan and Credit Administration Departments and a few other users throughout the bank. Commercial lenders are located at each of the bank= s regional locations (i.e., Corporate Headquarters, Fall River Central, Plymouth Central, MV Central and Cape Central) and access to the database (which is stored at the Corporate Headquarters) is made accessible via the bank = s Enterprise Wide Area Network. |
Credit Revue | |
Important: | |
The Credit Revue application is a UNIX-based solution (utilizing a Progress Database) which Xxxxxxxxxxx licenses from First American/CMSI to automate the processing and decisioning of its consumer loan products. The Credit Revue system is used extensively throughout the bank= s Consumer Loan Department. Access to Credit Revue is limited to members of the Consumer Loan Department. The Database Administrator, Debra Sewell of the I.S. Department, maintains access to the Progress Database but does not have access to the Credit Revue system = s production module. She does maintain full access to the test module. |
Critical: | |
The bank utilizes the Fin/ess General Ledger System which is licensed software from First National Systems (FNS) out of Cotuit, Massachusetts. This system includes all aspects of General Ledger accounting including Fixed Assets, Accounts Payables and Safe Deposit Box modules. It resides on a Novell Network Server. The database engine utilized is Synergy which is also licensed from FNS. The System Administrator, Matt Sylvia (VP - Financial) checks annually with FNS to ensure that the latest version of the software code is stored in escrow. Primary users of the Fin/ess system are within the Financial Division. However, Loan Operations and Deposit Operations also maintain limited access. Still others maintain A read only @ access to some General Ledger Reports. |
Important: | |
The Ceridian Source 520 HR/Payroll system integrates human resources and payroll functionality. This application is licensed by the bank from Ceridian Corporation and is configured to be accessible to members of the Human Resources Department only. It is installed on a WindowsNT server and its database engine is Microsoft Access. |
Important: | |
Express Options is licensed software the bank utilizes to manage its Stock Option Program. It resides on a Novell Network Server and utilizes a Pervasive SQL Database Engine. Access to this program is limited to members of the Human Resources Department, the Financial Division and the Marketing Department (for investor relations reporting.) |
Express Options contains confidential information as it relates to those Directors and Officers who participate in the bank = s Stock Option Program. Compensation information as well as social security numbers are stored in this system. | |
Important: | |
The Mortgage Management system is licensed software from Sound Software which is used by the bank to originate, process and close its residential mortgage loans. The program resides on Novell Network Servers at each of the bank= s regional locations. The database resides at the corporate headquarters, and information is accessed via the bank = s Enterprise Wide Area Network. |
Important: | |
The Collections and Asset Recovery Management System is licensed software from Intelligent Banking Solutions (IBS) utilized by the bank which streamlines the delinquent loan collection process. It is used exclusively by the Managed Assets Group, and is administered by the bank= s Vice President of the Managed Assets Group, Wayne Carvalho. CARM resides on a Novell Network server. Each morning a routine is executed where xxxxxxxxxxx obtains a file of delinquent accounts from the data processing center = s FTP server. This file is then indexed into CARM. |
Important: | |
The Max$ell MCIF system is licensed software from Harland Corporation utilized by the bank= s Marketing Department. The Max$ell MCIF system receives monthly updates of customer information from the bank = s data processing center (via CD-ROM) and is regularly complemented with demographic information relative to the bank = s customers. Max$ell resides on a Novell Network server. |
Important: | |
The SMARTi system is licensed software from Filemark Corporation. The bank utilizes this system for COLD storage of its core processing reports from the NCR Starcom system, reports generated by the bank= s ATM processor and reports generated by the bank = s items processor. SMARTi utilizes a Sybase SQL database engine and the databases and COLD reports resides on Novell Network Servers. All data is A read-only @ and stored using a combination of hard disk storage on the bank = s fileservers and WORM (write-once-read-many) disks housed in Hewlett Packard juke boxes. This application is available to various users throughout the bank - primarily in Deposit Operations and Loan Operations. |
Critical: | |
The Branch Management System (or BMS) is licensed software from the bank= s core processor, NCR Corporation. This software is used extensively throughout the retail branch network. It provides teller and platform functionality in a DOS-based environment. Each branch has a gateway PC which is directly connected to a 9.6 channel on a 56kb line to pass transactions to the host (i.e., NCR.) There is one A super @ password for BMS, and this password is owned and maintained by the I.S. Department. (This does not mean that the I.S. Department can gain access to the host, however. It simply means that the I.S. Department has full functionality within the software.) This password is changed every six months by I.S. personnel. It is a labor-intensive process as each branch fileserver must be remotely accessed to change this password. This A super @ password is required when updates are made to the software. |
Important: | |
Micro-upload is licensed software from Integrated Software Solutions, which is a partner of the bank= s core system provider, NCR Corporation. It is used by the bank = s Mortgage Lending, Consumer Lending, Loan Operations and Deposit Operations Departments. Access to the NCR host via Micro-upload is controlled by teller numbers - which are issued by the bank = s Security Officer. Micro-upload is installed only on select PCS with unique terminal numbers. Transactions performed can be traced back to a particular terminal and teller via NCR = s Terminal Proof Report. Access to the Micro-upload software and the appropriate level of teller access is requested in writing by the Department Manager. |
Appendix A |
1. | |
Compaq (latest model available) with Raid 5 and redundant power supplies. |
1. | |
Compaq P4 or latest model available |
2. | |
Compaq P3 or latest model available |
1. | |
NEC 17" Color SuperVGA |
1. | |
Hewlett Packard (various models) |
1. | |
Hayes 56kb |
2. | |
Xircom 56kb (for notebook PCS) | |
Appendix B |
1. | |
Novell Netware Version 5.1 |
2. | |
Windows NT 4.X or Windows 2000 (typically driven by application vendor) |
1. | |
Windows 98 |
1. | |
Microsoft Access for clients |
2. | |
Sybase or Oracle for servers |
1. | |
Microsoft Powerpoint |
1. | |
MS Office 2000 - Excel or Lotus Millennium |
1. | |
MS Office 2000 - Word or Wordperfect (version 6.1/8.0) |
1. | |
Microsoft Powerpoint |
2. | |
Harvard Graphics |
1. | |
Visio 2000 |
1. | |
Visio 2000 |
1. | |
Mcafee (server & desktop) |
1. | |
BackupExec (server) |