Circulars/Notifications - Banking Supervision Department  
BSD  Circular No . 15 of 2004
September 29, 2004  

The Presidents/Chief Executives
All Banks/DFIs

Dear Sirs/Madam,

Guidelines on Information Technology Security

Today is the age of information technology (IT) and the banking institutions, in order to stay competitive, are taking maximum advantage of rapidly evolving innovations in IT. They are fast incorporating IT in their business processes to achieve efficiency, to serve their customers satisfactorily and to expand & modernize their product offerings. The term IT applies not only to the stand-alone personal computers, networks and Internet, but also to ATMs and other such machines. The use of information technology creates new risks, and the worst case would be the total disruption of service and its consequential financial implications. Therefore, the banks/DFIs need to understand the importance of risk management1 with respect to information technology.

2. Keeping the above in view, the State Bank has prepared the attached guidelines for IT Security and expects all banks/DFIs to make adequate and reliable arrangements for IT Security. These guidelines will provide a starting point to set practices and procedures in place for enhancing IT Security. The attached guidelines emphasize on the commitment to IT Security and provides guidance on IT Security concept, Risk management, IT Security policy and plan development, IT Security areas, IT Security team, Awareness and training, Incident management, Contingency and disaster recovery planning, Information system audit and certification, and finally requires the banks/DFIs to have a well functioning and reliable IT Security system, which is working round the clock and is continuously being improved.

3. It is pertinent to mention that the ultimate responsibility for IT Security rests with the Board of Directors and the Senior Management of the banks/DFIs. They must ensure that the IT systems in their respective institutions have built-in security capabilities to survive real-world threats. In case, banks/DFIs do not have in-house expertise, they may like to engage outside IT consultants to prepare/assist them in IT Security planning. Furthermore, Pakistan Banks Association will also organize training programs on the subject to enable banks to build up their in-house capacity in this area.

4. Banks/DFIs are advised to design and review their IT systems in the light of the attached guidelines within six months from the date of issue of this circular to ensure that adequate IT Security arrangements are in place. It may be noted that during the course of inspection of banks/DFIs, our Banking Inspection Department will look into the adequacy of such arrangements.

Please acknowledge receipt.


Enclosed: Guidelines on Information Technology Security

Yours faithfully,


1 In order to understand supervisory expectations and guidance on E-Banking, please refer to ‘Risk Management Principles of Electronic Banking’ of Basel Committee of Banking Supervision, issued in July 2003.

About SBP
Economic Data
Press Releases
Laws & Regulations
Monetary Policy
Help Desk
SBP Videos
Contact us
What's New?
Online Tenders
Web Links

Educational Resources
Regulatory Returns
Rupey ko Pehchano
Zahid Husain Memorial Lecture
Best view Screen Resolution : 1024 * 768
Copyright © 2016. All Rights Reserved.