The
Presidents/Chief Executives
All Banks/DFIs
Dear
Sirs/Madam,
Guidelines
on Information Technology Security
Today is the age of information
technology (IT) and the banking institutions, in order to
stay competitive, are taking maximum advantage of rapidly
evolving innovations in IT. They are fast incorporating
IT in their business processes to achieve efficiency, to
serve their customers satisfactorily and to expand &
modernize their product offerings. The term IT applies not
only to the stand-alone personal computers, networks and
Internet, but also to ATMs and other such machines. The
use of information technology creates new risks, and the
worst case would be the total disruption of service and
its consequential financial implications. Therefore, the
banks/DFIs need to understand the importance of risk management1
with respect to information technology.
2.
Keeping the above in view, the State Bank has prepared the
attached guidelines for IT Security and expects all banks/DFIs
to make adequate and reliable arrangements for IT Security.
These guidelines will provide a starting point to set practices
and procedures in place for enhancing IT Security. The attached
guidelines emphasize on the commitment to IT Security and
provides guidance on IT Security concept, Risk management,
IT Security policy and plan development, IT Security areas,
IT Security team, Awareness and training, Incident management,
Contingency and disaster recovery planning, Information
system audit and certification, and finally requires the
banks/DFIs to have a well functioning and reliable IT Security
system, which is working round the clock and is continuously
being improved.
3.
It is pertinent to mention that the ultimate responsibility
for IT Security rests with the Board of Directors and the
Senior Management of the banks/DFIs. They must ensure that
the IT systems in their respective institutions have built-in
security capabilities to survive real-world threats. In
case, banks/DFIs do not have in-house expertise, they may
like to engage outside IT consultants to prepare/assist
them in IT Security planning. Furthermore, Pakistan Banks
Association will also organize training programs on the
subject to enable banks to build up their in-house capacity
in this area.
4. Banks/DFIs are advised to design and
review their IT systems in the light of the attached guidelines
within six months from the date of issue of this circular
to ensure that adequate IT Security arrangements are in
place. It may be noted that during the course of inspection
of banks/DFIs, our Banking Inspection Department will look
into the adequacy of such arrangements.
Please
acknowledge receipt.