STATE BANK OF INDIA INTERNAL AUDIT DEPARTMENT, … · 2020. 10. 4. · 16 System & Application...

Offer Document No.03/2020-21 of 32

STATE BANK OF INDIA INTERNAL AUDIT DEPARTMENT, CORPORATE CENTRE, HYDERABAD

Offer Document No. IAD/ISA/RFP/2020-21/03 dated 03-Oct-2020

OFFER DOCUMENT FOR INVITING BIDS FROM IAD’s EMPANELED ISSPs

Please refer to our RFP No. SBI/IAD/ISA/RFP/2020-21/01 dated 13/04/2020 vide which you have been empaneled for conducting IS and IT Audits. We propose to get following audits / assurance assignment / assessment conducted by our empanelled IS audit firms and invite indicative commercial bids and tentative man-days for the same: - A) Information Systems Audit of Bank’s IT Departments (15 Departments and 2

Special Audits)* and associated vendor audits;

B) Independent Assurance on Bank’s IS Audit function (RBI’s Gopalakrishna

Committee recommendations);

C) Dual Standard Audit (SSAE18 & ISAE3402) for 24 countries*

Eligibility and Technical Criteria for Dual Standard Audit:

The Company should be authorized to sign SSAE18 and ISAE3402 Audit report

or the Auditor signing the report, should be a CPA registered with AICPA.

Appropriate proof of CPA registration should be submitted.

Bidders who desire to participate, please send the suitable evidences via

email before submission of indicative commercial bids.

D) Assessment of SWIFT Infrastructure against SWIFT Customer Security Controls

Framework (CSCF) V2020.*

*General Condition: The ISSP who had conducted a particular audit / IS Audit of IT

department for 2019-20 will not be eligible to bid for that audit / department in this

bidding process.

The detailed Scope of audit is given in Annexure-I.


2. Submission of bids & Selection of L1 bidder: The empaneled bidders are invited to submit their indicative commercial bids and tentative number of man-days to complete the above audits, in the Bid format (Annexure-II) online on https://etender.sbi. The L1 bidder will be selected based on Commercial bid or Reverse Auction, depending upon the value of audit (refer section 15 (iv) of RFP for empanelment). For this RFP, Reverse Auction will be conducted. The number of man-days quoted includes all the audit activities like, Pre-audit activities, field inspection and post audit activities, preparation and submission of report. The audit assignment also includes Post Audit Compliance Review after submission of first ATR by the auditee. The bidder must complete the scope of audit irrespective of number of man-days quoted by them. The team of resources deployed should have CISA qualification and have experience and knowledge in the field. 3. Pre-bid queries and last date for submission of bids: a) Pre-bid queries, if any, may be sent via email to [email protected] latest by 05:00PM on 08-Oct-2020. b) Response to pre-bid queries will be provided on or before 12-Oct-2020. c) The bids will be submitted online on https://etender.sbi latest by 05:00PM on 16-Oct-2020. d) The bidders who have not submitted EMD and Non-Disclosure Agreement (NDA) till 07-Oct-2020, as prescribed in our Offer Document No. IAD/ISA/RFP/2020-21/02 dated 31-Aug-2020, will be not be eligible to participate in this RFP. 4. Bank Guarantee: i. As Performance Guarantee, the successful bidder should submit a Bank Guarantee [BG] for 20% of contract value, valid for 15 months (12+3), as defined in Appendix-E of the RFP. The BG is to be issued by a Scheduled Commercial Bank other than SBI and needs to be submitted by the bidder within the specified time after receipt of formal communication on their selection from Bank. In case, SBI is the sole Banker for the Bidder, a Letter of Comfort from SBI may be accepted.

ii. The Bank Guarantee is required to protect interest of Bank against risk of non-performance of Service Provider in respect of successful implementation of the project and/or failing to perform / fulfil its commitments / obligations in respect of providing Services as mentioned in this RFP; or breach of any terms and conditions of the RFP, which may warrant invoking of Bank Guarantee.

mailto:[email protected]

https://etender.sbi/


5. Out of Pocket expenses: The price quoted will be exclusive of Taxes. Outstation Travel, out of pocket/Lodging/Boarding expenses will be reimbursed on actual basis to a maximum of ₹4000/- per day per person for metro and state capitals and ₹2500/- per day per person for other locations. Air Travel will be reimbursed on actual for Economy class lowest fare. 6. Payment Terms: 1. The payment will be made in arrears in two stages against submission of invoice on completion of Audit. First payment of 75% of the contract value of audit will be paid on submission of final audit report and remaining 25% will be released on submission of Post Audit Compliance Review report. 2. The applicable TDS will be recovered from invoice amount while making payments and Form-16 will be issued in due course. 7. Commencement of Audit: The actual date of commencement of audit will be advised to the successful bidder, immediately after declaration of Reverse Auction result. The audit should ordinarily be completed within the timeframe specified in the scope of audit. 8. Terms and Conditions: a) Service Level Agreement, as defined in Appendix-G of the RFP, will be signed by the L1 bidder, on appropriate stamp paper as per Stamp Act of local State Govt. where the SLA is signed, within 7 days from receipt of Purchase Order and/or before commencement of Audit. b) All other terms and conditions are as per above-referred RFP. Bidders may seek clarifications, if any, through email id: [email protected]. c) Bank reserves full right to cancel the offer, bidding process etc., at any stage, without assigning any reason/s. State Bank of India, IS Audit Wing, Internal Audit Department, Corporate Centre, Hyderabad – 500 019. Date: 03-Oct-2020 Deputy General Manager (IS Audit)

mailto:[email protected]


Schedule of Events

Sl No

Particulars Remarks

1 Contact details of issuing department (Name, Designation, Mobile No., Email address for sending any kind of correspondence regarding this RFP)

1. Name: Shri Vinay N. Shah 2. Designation: Asst. Gen. Manager (IS Audit) 3. Contact No.: +91-8897355700 4. Email: agmisaudit.imad[at]sbi.co.in

2 Bid Document Availability including changes/amendments, if any to be issued

Offer document has been shared with all empanelled vendors through email. The Offer document is also uploaded on Bank’s website https://bank.sbi under procurement news and on https://etender.sbi from 03-Oct-2020 to 16-Oct-2020.

3 Last date for requesting clarification Up to 05:00 PM on 08-Oct-2020 All communications regarding points / queries requiring clarifications shall be given by e-mail.

4 Pre - bid Meeting at (venue) No pre-bid meeting will be conducted.

5 Clarifications to queries/clarification will be provided by the Bank.

On 12-Oct-2020

6 Last date and time for Bid submission

Up to 5.00 PM on 16-Oct-2020

7 Address for submission of Bids Indicative commercial Bids to be submitted online on https://etender.sbi

8 Date and Time of opening of Indicative Price Bids

05:30 PM on 16-Oct-2020

9 Reverse Auction On 19-Oct-2020 or on a date which will be communicated by us.

10 Tender Fee NIL

11 Bank Guarantee 20% of contract value. Please refer para No.4 of this document.

12 Contact details of agency appointed for conducting Reverse Auction

M/s. e-Procurement Technologies Limited, Ahmedabad. 1. Imtiyaz Tajani 079 – 6813 6831 [email protected] 2. Ekta Maharaj 079 – 6813 6852 [email protected] 3. Salina Motani 079 – 6813 6843 [email protected] 4. Sujith Nair 079 – 6813 6857 [email protected] 5. Deepak Narekar 079 – 6813 6863 [email protected]

https://bank.sbi/




6. Jainam Belani 079 – 6813 6820 [email protected] 7. Devang Patel 079 – 6813 6859 [email protected]

13 Delivery schedule/ Timeline As specified against each Audit in Annexure-I.

14 Terms of payment 75% on submission of final report and 25% on submission of Post Audit Compliance Review Report.

15 Delivery locations Mumbai or as per Unit’s location.


Annexure-I

Scope of Audit

A. Information Systems Audit of Bank’s IT Departments (17 Audits) Details of IT Departments, No. of Applications and No. of vendors:

S. No

Department Name No. of

Applications handled

No. of Vendor Audits

1 Core Banking Development (CB-Dev) 12 2

2 Core Banking – Technical Operations (CB-Tech Ops) 8 25

3 Data Centre and Cloud Services (DC & CS) 3 10

4 Enterprise Integration Services (EIS) 3 5

5 ePay & PG 4 17

6 Internet Banking (INB) 11 17

7 IT ATM 13 41

8 IT Foreign Offices (IT FO) 23 48

9 IT Networking & Communications 8 78

10 IT Trade Finance 3 2

11 Mobile Banking 7 11

12 Payment Systems 12 21

13 Special Projects I 21 19

14 Special Projects II 18 24

15 Security Operations Centre 4 1

16 System & Application Audit of Bank’s UPI as per NPCI guidelines

1 -

17 Special Audit of CCDP – March 21 (Data of Sep. ’20) 1 -

** Increase / Decrease in the applications during audit – The per-application rate will be arrived after finalizing L1 price and that rate will be applied for any addition / deletion to the list of applications managed by a department as on date of audit. Information Systems Audit will cover all Information Systems (IS) assets, viz.,

hardware, systems software, applications software, communication systems, facilities,

people (knowledge / skills), data, system documentations and supplies etc., whether

acquired / developed and / or maintained in-house or by outsourced vendors and used

with fully automated Information Systems processes or Business processes supported

by Information Technology (IT) including the related interfaces and manual processes.

Insider threats, cybersecurity threats will also be covered during IS Audit.

Timeline 40 man-days max for one audit (from date of Purchase Order)


Scope: The scope of IS Audit of Bank’s IT departments is based on Bank’s IT Policy & Standards, IT Procedure and Guidelines, IS Policy & Standards, IS Procedure and Guidelines, Cyber Security Policy & Standards, Cyber Security Procedure and Guidelines and Cyber Crisis Management Plan. The scope described hereafter is illustrative but not exhaustive. Bidders are expected to update and include additional relevant items in these activities to conform to global best practices and currently available knowledge base. The scope may also undergo changes/updates due to implementation of new products, projects, configuration requirements, business needs, legal and regulatory requirements etc. 1.1 The scope of Information Systems Audit is to determine: -

• The effectiveness of planning and oversight of IT activities.

• Evaluating adequacy of operating processes and internal controls.

• The adequacy of enterprise-wide compliance efforts, related to IS, IT and Cyber Security policies and internal control procedures.

• Identifying areas with deficient internal controls, recommend corrective action to address deficiencies and follow-up, to ensure that the management effectively implements the required actions.

• Whether the IS risks are appropriately identified and managed and whether the controls and risk management processes are adequate and implemented as per the instructions issued by the Bank from time to time.

1.2 It will also make reviews to examine if: 1.2.1The objectives of Confidentiality, Integrity and Availability of data are maintained as per the requirement and the legal and regulatory requirements are complied with. 1.2.2 The Information Systems resources are acquired economically, justifiably, used efficiently and protected adequately to effectively achieve the Bank’s business objectives. 1.2.3 Review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces among them. 1.2.4 Evaluate the appropriateness of the Risk Management exercise done by the Asset Owners and the Control Self-Assessment. The IS Audit should cover the areas specified by RBI. IS Auditors will also verify the adequacy of Business Continuity Planning (BCP) arrangements, periodical Vulnerability Assessment and Penetration Tests (VAPT) and corrective measures taken by the concerned departments. For the scoped audit, Bank will conduct Vulnerability Assessment and report will be shared with the auditor. 1.2.5 The Information Systems Audit will include audit of all processes/systems using IT in any form and such audit either alone or as a part of other audits will always examine the level of compliance with the Bank’s current IT Policy & Standards, Information Security Policy& Standards, Cyber Security Policy and Cyber Crisis Management Plan.


1.3. The scope will also include various RBI guidelines issued from time to time as under: 1.3.1 Mobile Banking Transactions in India- compliance with Operative Guidelines for Banks vide RBI Master Circular–DPSS.CO.PD.MobileBanking.No./2/02.23.001/2016-2017 dated 01.07.2016 or the current Master Circular as on the date of Audit. This forms part of IS Audit of Mobile Banking Department. 1.3.2 Business Continuity Planning (BCP), Vulnerability Assessment and Penetration Tests (VAPT) and Information Security vide RBI Circular DIT.CO(Policy) No. 2636/ 09.63.025/2012-13 dated 21.01.2013. The critical components of Business Continuity Management Framework as enunciated in the report of Working Group on information security, electronic banking, technology risk management, and cyber frauds. This is applicable to all the auditee entities. 1.3.3 Security and Risk Mitigation Measures for Electronic Payment Transactions vide RBI Circular DPSS (CO) PD No.1462 / 02.14.003 / 2012-13 dated 28.02.2013 and other/latest instructions/guidance issued by RBI. This is applicable to ATM, Internet Banking, Mobile Banking, and Payment Systems Group Departments. 1.3.4 Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Prepaid Card operations of Banks vide RBI Circular No. RBI/2015-16/31 DBOD.No.FSD.BC.18/24.01.009/2015-16 dated 1st July, 2015 or the latest instructions / guidance issued by RBI. (Credit Card is not within the scope of this RFP). This is applicable to ATM Department. 1.3.5 RBI Notification No. RBI/2016-17/178 DPSS.CO.CSD.No.1485/01.08.005/2016-17 dated 9th December, 2016 on Security and Risk Mitigation measure – Technical Audit of Prepaid Payment Instrument issuers. This is applicable to ATM. A separate Audit report on Prepaid Payment Instrument Issuers will be issued. 1.4 Special Audit of CCDP Application, which is part of Development-Core Banking Department, the scope is as under: 1.4.1 Special audit before March to ensure that the new process put in for reporting Non-Performing Assets (NPAs) through stabilization of CCDP process. Report to be given before 20th March. The specific scope of CCDP application is as under. i. Change Management System for CCDP ii. Process flow for implementation of changes made during the last year. iii. Logic for NPA classification and Provisioning and extent of compliance with current RBI Master Circular on Prudential Norms on Income Recognition, Asset Classification and Provisioning pertaining to Advances. iv. Various provisions of RBI Master Circulars are complied with in CBS and/or CCDP. v. Changes made in Asset Classification, Date of NPA in CCDP are reflected in CBS. vi. Comparison of CBS NPA figures and CCDP NPA figures. vii. Suitable checks are in place for upgrading/downgrading Asset Classification of Accounts in CCDP.


1.4.2 In addition, certification covering the following specific points is to be given: i. Borrower-wise NPA logic is as per the extant guidelines. ii. Borrower-wise restructuring logic is as per the extant guidelines. iii. Provisioning in respect of unsecured ab-initio is as per the extant guidelines. iv. Extant logic for classification of NPA as ‘Doubtful Assets’ is in place where the erosion in the realizable value of security is more than 50% of the value assessed by the bank or accepted by RBI at the time of last inspection, as the case may be. v. Extant logic for classification of NPA having security less than 10% of the outstanding as ‘LOSS Assets’ is in place. vi. Oldest NPA date is stamped in all accounts of Borrower within a branch as per Borrower-wise NPA rule. 1.5 IT General Controls Audit: Assess whether the data processing that takes place in systems and IT occurs in a controlled environment, supporting data integrity and security. Scope of work for IT General Controls Review: 1. Change Management- To provide reasonable assurance that only appropriately authorized, tested, and approved changes are made to in-scope systems. The following attributes needs to be tested with appropriate evidences: a. All changes are authorized, tested, approved and monitored b. Responsibilities are appropriately segregated c. Procedures for Emergency changes 2. Logical Access- To determine that only authorized persons have access to data and applications (including programs, tables, and related resources) and that they can perform only specifically authorized functions. The following attributes needs to be tested with appropriate evidences: a. General Security settings with respect to Application, Operating System and Database b. Privilege User Management c. Procedures for New User setup, Terminated Users, Transfers d. User Access Reviews e. Segregation of Duties 3. Backup Management – To determine that the data supporting business information is properly backed-up so that it can be accurately and completely recovered if there is a system outage or data integrity issue. The following attributes needs to be tested with appropriate evidences: a. Backup and Recovery b. Job Scheduling 4. Entity Level Controls: To determine the adequacy of internal controls that help ensure that management directives pertaining to the entire entity are carried out. The following attributes needs to be tested with appropriate evidences: a. Quality Assurance Management process review b. Management review and governance over systems performance c. Presence of adequate policy and procedures documents and its adherence


d. Review of previous audit / test reports and the actions taken on the recommendations 5. Others: Review the following:- a. Audit logging and review mechanism b. Patch Management procedures c. Antivirus Management 1.7 Vulnerability Assessment SBI expects an authenticated type but non-destructive vulnerability assessment to be carried out. Bidder should be able to cover a broad range of systems like Operating system (Windows, Linux (all flavours), AIX, HP UX etc.), Databases (MySQL, MSSQL, Oracle etc.), Web servers (Apache, Tomcat, IIS etc.), Network devices (Routers, Switches, Gateway, Proxy etc.), Security devices (Firewalls, IDSs, IPSs, etc.). Bidders are expected to conduct the audit against the standard configuration document that bank has created, as also the latest global standards and industry best practices. In case, any new asset is identified during project execution, Bidder is expected to develop the checklist and conduct the assessment. Scope of work for Vulnerability Assessment i. General aspects for all systems •Access control and authentication •Network settings •General system configuration •Logging and auditing •Password and account policies •Patches and updates ii. Specific requirements for Server/OS Configuration Audit •File system security •Account Policies •Access Control •Network Settings •System Authentication •Logging and Auditing •Patches and Updates •Unnecessary services •Remote login settings iii. Configuration Audit of Networking & Security Devices •Access Control •System Authentication •Auditing and Logging •Insecure Dynamic Routing Configuration •Insecure Service Configuration •Insecure TCP/IP Parameters •System Insecurities •Unnecessary services •Remote login settings


•Latest software version and patches iv. Database Configuration Audit •Database Account Authentication •Password Policy •Database Account Privileges •Database Auditing •Database Logging and Tracing •Database Network Access Mechanism •Database Patching •Database Files and Directories Permission •Access control and authentication •Unnecessary services •Remote login settings •Patches and updates v. Security configuration of desktops and laptops that are used by the business users can be performed on sampling basis (say 10% of the total Assets in the concerned Dept.) as per Bank’s requirements to ensure that Active Directory Services are effectively implemented in the Department concerned. 1.8 Penetration testing The objective of the assessment is to determine the effectiveness of the security of organization’s infrastructure and its ability to withstand an intrusion attempt. This may be achieved by conducting both reconnaissance and a comprehensive penetration test. This will provide good insight as to what an attacker can discover about the network and how this information can be used to further leverage attacks. The security assessment should use the industry standard penetration test methodologies (like OSSTMM, ISSAF etc.) and scanning techniques, and will focus on applications. The application tests should cover but not limited to OWASP Top 10 attacks. Scope of work for Penetration Testing: 1. Tests for default passwords 2. Tests for DoS vulnerabilities 3. Test for directory Traversal 4. Test for insecure services such as SNMP 5. Check for vulnerabilities based on version of device/server 1. Test for SQL, XSS and other web application related vulnerabilities 7. Check for weak encryption 8. Check for SMTP related vulnerabilities such as open mail relay 9. Check for strong authentication scheme 10. Test for sample and default applications/pages 11. Check for DNS related vulnerabilities such as DNS cache poisoning and snooping 12. Test for information disclosure such as internal IP disclosure 13. Look for potential backdoors 14. Check for older vulnerable version 15. Remote code execution 11. Weak SSL Certificate and Ciphers 17. Missing patches and versions


1.9 General Process Audit: Assess whether the data processing that takes place in systems and IT occurs in a controlled environment, supporting data integrity and security. Scope of work for general process audit is as under: The activity includes detailed assessment of the following:

• Assess the controls implemented in the system for: Input, Processing, Output, Functionality

• Logical Access Controls - Review all types of Application Level Access Controls including proper controls for access logs and audit trails for ensuring Sufficiency & Security of Creation, Maintenance and Backup of the same. Only authorized users should be able to edit, input or update data in the applications or carry out activities as per their role and/or functional requirements

• Assess sufficiency & accuracy of event logging, adequacy of Audit trails, SQL command prompt usage, database level logging etc.

• Assess interface controls - Application interfaces with other applications and security in their data communication.

• Assess authorization controls such as Maker Checker, Exceptions, Overriding exception & Error condition.

• Assess Data integrity & File Continuity Controls

• Assess controls for user maintenance, password policies are being followed are as per bank’s IT& IS security policy with special attention to the use of hardcoded User Id & Password

• Assess controls for segregation of duties and accesses of production staff and development staff with access control over development, test and production regions.

• Review of all types of Parameter maintenance and controls implemented.

• Assess controls for change management procedures including testing &documentation of change.

• Identify gaps in the application security parameter setup in line with the bank’s security policies and leading best practices

• Audit of management controls including systems configuration/ parameterization & systems development.

• Audit of controls over operations including communication network, data preparation and entry, production, file library, documentation and program library, Help Desk and technical support, capacity planning and performance, Monitoring of outsourced operations.

• Review of customizations done to the Software & the SDLC Policy followed for such customization.

• Verify adherence to Legal & Statutory Requirements

• Provide suggestions for segregations of Roles/Responsibilities with respect to Application software to improve internal controls

• Review of documentation for formal naming standards, design process of job roles, activity, groups, profiles, assignment, approval & periodic review of user profiles, assignment & use of Super user access.


• Check the sufficiency and coverage of UAT test cases, review of defects & tracking mechanism deployed by Bidder& resolution including re-testing & acceptance.

• Backup/ Fallback/ Restoration/ Recovery & Restart procedures

The above should be done in consonance with standards like ISO 27001, Bank’s current IT, IS & Cyber Security Policies, legal & regulatory requirements and global best practices. 1.10 Vendor Risk Assessment Outsourced Audit of IT Vendor supporting the application, is included in the scope of audit of IT departments. The relative Audit Format template will be shared with the Auditor by IS Audit Wing. 1.11 Application Security Scope of Work for Application Security Assessment Technical Assessment 1) The assessment should cover both business logic and technical risks 2) The assessment report should contain a detailed threat list of the application. The threat list should contain the possible risks to the application both from a business and technical aspect 3) The tester should attempt to identify and exploit vulnerabilities that include the OWASP Top 10, including: •Input validation •Cross site scripting •SQL injection •Cookie modification •Code execution •Buffer overflow •URL manipulation •Authentication bypass •File upload vulnerabilities •Secure implementation of features such as forgot password, password policies enforcement, CAPTCHA etc. •Session hijacking •CSRF •Privilege escalation 4) The report show risk to the business based on any exploits that was found. 5) The assessment report should contain a test plan that shows what tests were conducted and its status. Process Assessment 1) Authorization and Segregation of Duties Controls • Understand how system entitlements are used to enforce segregation of duties or authorized transactions. • Perform sample testing of user application entitlements to confirm appropriate segregations of duties are enforced by the system (in a test environment).


•Perform sample testing of user application entitlement to ensure access to enter, approve, and/or modify transactions, data, or system configurations is restricted to authorized personnel (in a test environment). •Populate issue and findings log with the gaps / deviations / issues noted (if any) 2) Assessment of Role based Security for Applications under scope •Review of user creation/ modification/ deletion/ maintenance procedures for the in-scope applications •Review of privileged access rights granted to application, system administrators, service providers and vendors •Assess the process for review of user logs for administrator and system users •Review ongoing monitoring of effectiveness of implemented procedures and controls •Perform sample testing of application entitlement to ensure access to enter, approve, and/or modify transactions, data, or system configurations is restricted to authorized personnel. •Review of account and password policy including controls such as •Users are assigned unique accounts •Adequate passwords are maintained e.g. alphanumeric, minimum number of characters etc. •Periodic password changes and preventing repeated use of passwords and •Review of implementation of password policy at system and application levels •Account lockout policy for disabling user accounts after limited number of unsuccessful login attempts •Segregation of duties controls/ maker-checker controls through appropriate design and implementation of user roles / profiles. •Understand how system entitlements are used to enforce segregation of duties or authorized transactions. •Perform sample testing of application’s entitlements to confirm appropriate segregations of duties are enforced by the system (in a test environment). •Understand how unsuccessful access attempts to applications in scope are logged and monitored. •Review the implementation and effectiveness of user access management in applications in the event of leaves. •Review the segregation of development, production and test environments of applications •Understand the manpower deployment for application maintenance •Based on the control design weaknesses identified above, identify the areas for conducting forensic study. 3) Others •Review the audit trail features of the applications in scope, understand how the audit trail reports are reviewed by SBI to detect errors and understand how the reported errors are corrected in a timely manner. •Review the maintenance and storage of audit trails and logs in order to assess whether the same can be used for forensic study if required by SBI. •Understand the legal and statutory requirements related to using the applications in scope •Review other related procedures namely backup, change management, Escrow arrangement for source code and risk management processes for the applications in scope.


1.12 Data Governance Scope of work 1. Review of existing Data Classification 2. Perform data risk assessment to assess security loopholes from where data can get leaked 1.13 Mobile Application Protection Identify and verify the mobile application security vulnerabilities against industry global standards such as OWASP, PCI DSS compliance, RBI, MPFI etc. Scope of Work for Mobile Application Protection •Perform assessments to identify vulnerabilities that can be exploited using applications on mobile phones for both registered and anonymous users •Understand the features, functions in the application •Create a detailed threat profile and a test plan •Perform automated and manual tests like HTML Source Code Analysis, SQL Injection, Session Hijacking, LDAP Injection, Authentication Bypass etc. •Assess adequacy, generation & availability of Reports for accounting, regulatory, statutory, reconciliation, MIS & statistical purpose covering all Mobile banking transactions •Check Adherence to Operational/Statutory guidelines issued by RBI & other Regulatory bodies w.r.t Mobile Banking Application •Perform audit of various functionalities provided in the application like Fund transfer, Transactions & queries, Cheque Book related etc. •Perform verification of the detailed security procedures & processes of the Mobile Banking Solution provider as a part of the existing operational rules & regulations covering transaction, Data & Operational Security setup & establishing the adequacy of the same w.r.t. the current Setup. •Check adequacy Of Operational Security features through Access Control, User Rights, Logging, Data integrity, Accountability, Auditability etc. for the Mobile Application Solution •Check adequacy of MPIN Management Controls (Generation, Re-generation, Authorization, Verifications etc.) of Mobile Banking & Key Management features. •Conduct audit of various security features including but not limited to Handset Security features, Transaction level security features, Platform Security & reliability features including Database, Network & transmission Security features, Registration features, Administration Portal features, Call logging, tracking & Dispute Resolution features etc. •Perform analysis/Verification of Audit Logs /Audit Trails of Transactions, Exception List, Incident management report etc. 1.14 The professional agencies apart from submission of the audit findings should be in a position to recommend suitable remedial measures / alternate solutions leveraging the Bank’s existing IT infrastructure. 1.15 Specific areas of Bank’s concern:


1.15.1 Software Development: - 1.15.1.1Whether standard Software Development and testing processes have been adopted to ensure that product meets the requirement of User Department’s needs and has necessary process / security controls built-in. 1.15.1.2 Whether version control of software source code is maintained. The object code in operation is the same as latest source code version. 1.15.1.3Whether change management practices adopted (including outsourced vendors) are secure enough. The development team has no access to production. 1.15.1.4Whether the processes/controls built-in in the software including related manual controls are able to prevent, detect and correct the undesirable events. 1.15.1.5Applications deployed conform to Bank’s Software development policy, Application Security Policy / User password management policy of the Bank and are immune to known vulnerabilities such as web applications not conforming to Open Web Application Security Project (OWASP) standards. 1.15.3 Application Security: 1.15.3.1Whether Applications comply with security requirements i.e. Password Policy, Account Policy restrictions, encryption of data, user credentials, generation of audit trails etc. 1.15.3.2 Whether Applications have any inherent weaknesses which can be exploited to Bank’s disadvantage and whether these weaknesses are on account of vendor’s ignorance of industry standards, international best practices and what are the remedial measures to plug these weaknesses. 1.15.3.3 Whether applications deployed can function smoothly if secure configuration settings at OS level and Database level are implemented as prescribed in Secure Configuration Documents. Whether standard SDLC procedures, international best practices and Secure Configuration Settings of OS and Database have been taken into account while developing the applications. 1.15.3.4 Whether the Applications already in operation have a scope to introduce audit modules embedded now for online real time audit, without adversely affecting the performance and resource utilization. 1.15.3.5 Whether changes to Applications are done in controlled manner after taking necessary precautions and the changes have not affected the existing functionalities and created security gaps and caused disruption to business continuity. 1.15.3.6 Where Applications / Databases have a provision to make corrections through back end intervention, whether adequate controls are in place for back end access and procedures adopted are for back end corrections are secure. 1.15.3.7Where Applications are having interfaces with other delivery channels/ applications, whether the interface access is secure enough from penetration by internal / external users. 1.15.4 Network Security:


1.15.4.1Whether Bank’s internal network is penetrable either through the public facing domains or by other means. 1.15.4.2 Whether the service providers have implemented secure procedures/ practices/ monitoring mechanisms to prevent the same and also to prevent introduction of virus, worms, Trojans and malware into our network either internally or from external connections. 1.15.4.3 Whether practices adopted by multiple service providers such as Anti Virus vendors who are on the same network, do not give scope to exploitation of Bank’s network. 1.15.4.4 Where the service provider is serving multiple clients, our Network is not used to serve the other clients, to the Bank’s disadvantage. 1.15.4.5 Whether, the signatures patterns are up to date on IDS, IPS and other network security/ monitoring devices and firewall rules defined are adequate to prevent the undesirable traffic. 1.15.4.6 Whether the Administrative Access to these Network Security Devices is controlled. 1.15.4.7 Where Wireless Networks are in operation, these are configured securely and do not pose any threat to wired network security. 1.15.4.8Network devices are configured as per Secure Configuration Settings prescribed. 1.15.4.9 Critical servers are accessible from respective segments only. 1.15.5 Operating System / Database Security: 1.15.5.1Whether Operating Systems/ Databases access conform to User Access Password Management Policy of the Bank. 1.15.5.2 Whether the OS/Databases have been configured as per Secure Configuration Settings prescribed and deviations if any, have approval of Information Security Department and the conditions/ compensating controls prescribed for these exceptions have been met with to mitigate the risks associated. 1.15.5.3 Ownership of generic ids if any, is clearly established and accountability can be fixed in the event of lapses / misuse if any 1.15.5.4 Whether generic user-ids can be replaced with individual user-ids. 1.15.5.5 Whether privileges of these generic user-ids pose any threat of unauthorized access to OS, Data and Application and provides for manipulation thereof. 1.15.6 Monitoring:


1.15.1.1 Whether monitoring mechanism is adequate to prevent/ detect/ correct the security breaches if any, promptly. 1.15.1.2Whether monitoring mechanism is capable to provide necessary alerts to stake holders and these alerts are acted upon 1.15.1.3 Whether monitoring mechanism prevents generation of any false positives. 1.15.1.4 Whether logs are pushed to a Central Syslog Server and these are secure from unauthorized access. 1.15.1.5 Log analysis is not done by the same person whose actions are logged. 1.15.7 Backup: 1.15.7.1 Whether approved backup policy is in place and back up of data and software essential for the continued operations of the bank is taken as specified in the backup policy and such backups are tested periodically for recovery. The security controls over the backup data and media are stringent. IT Media handling is in compliance with the Bank’s IT Policy. 1.15.8 Disaster Recovery: 1.15.8.1 Whether Disaster Recovery strategy adopted is adequate for continuity of operations of information systems which are critical to the Bank’s business in the event of disasters. 1.15.8.2 Whether it has necessary safeguards to minimize the risks, costs and duration of disruption to the business processes caused by disasters. 1.15.8.3 Whether DR Drills conducted were adequate enough to ensure continuity of operations in the event of actual disaster. 1.15.8.4Where DR strategy is dependent upon vendors, whether adequate arrangements are available with vendors to enable the DR exercise function successfully and they have necessary infrastructure. 1.15.8.5 Redundancy is configured for all critical applications including firewalls/ Routers and other network links and devices and work in times of contingency. 1.15.9 Web Presence (Intranet & Internet) and Communications: 1.15.9.1 Whether single domain policy has been adopted for Bank’s own websites and content management processes are in place to ensure that information published on these web sites is accurate, consistent and current. 1.15.9.2 Whether transactional web sites are secure enough if not immune to attacks such as hacking, phishing etc.


1.15.9.3 Whether web browsing practices of employees are also as per the acceptable usage policy of the Bank and do not give scope to disrepute to Bank. 1.15.10 Risk Management: Whether Risk Assessment done by the departments concerned has taken into account a. Maintaining IT inventory b. Classification of Assets c. Classification of Information d. Risk Assessment (including process risks) e. Risk Treatment f. Risk Mitigation g. Residual Risks for which approval of appropriate authority should be obtained and; h. The Risk Assessment is done periodically or whenever changes are made to IT infrastructure. B. Independent Assurance of Bank’s IS Audit function: (Ref. RBI’s Gopalakrishna Committee recommendations of April 2011 – Chapter 5 – Section 6(d) – Independent Assurance of Audit Function) Scope of Audit is to provide assurance to Bank’s management and regulators, on the bank’s internal IS Audit function, to validate approach and practices adopted by them in the discharge of its responsibilities as laid out in IS Audit Policy. The scope also includes review and revision of IS Audit Procedure and IS Audit Manual. Objectives of performing a quality assessment are:

a) Assess efficiency and effectiveness of the internal IS Audit function; b) Determine value addition from internal IS Audit function – Benchmark, identify

and recommend successful practices of IS Audit; c) Assess compliance to standards for professional practice in IS Audit; d) Provide recommendations for improvement in IS Audit function.

Timeline 30 days.


C. Dual Standard Audit ((SSAE18 & ISAE3402) for 24 countries: Scope of Work and Controls to be tested

Description of Deliverables: One report for each standard for 24 countries. Reports for US Operations to be submitted on or before 31-Dec-2020, for Bahrain report to be made available by 10-May-2021 and for rest of the 22 countries by 25-Jan-2021. Scope of Work: 1. SSAE 18 SOC 1 Type 2 Report and ISAE 3402 Report to provide information on the controls applicable to Information Technology (“IT”) General Computer Controls (“GCC”) related to services provided by ITFO Department at Navi Mumbai to SBI’s Branches/offices of 24 countries. Two separate reports to be issued for each country. Period of the Audit:

a) For US Operations Audit period will be 01.01.2020 to 30.09.2020 and three months’ bridge letter by IT-FO department and report should be released on or before 31st December 2020.

b) For Bahrain, the period of audit would be 01.04.2020 to 31.03.2021 (or 01.04.20 to 31.12.20 along with 3 months bridge to be incorporated in the report). Report to be made available by 10th May 2021.

c) For rest of the 22 countries – 01-Jan-2020 to 31-Dec-2020. 2. Applications covered in scope: a. IT-Foreign Office Department: i. Finacle Core Banking ii. Finacle Treasury iii. Finacle E-Banking iv. Finacle Mobile Banking v. Connect 24 vi. E-Trade (Ti-Plus)

vii. Ace Pelican (Except for US & Canada) b. Security Operations Centre: Coverage will be integration of IT Assets of IT-FO Department for 24 countries. c. Platform Engineering-I Dept.: Active Directory Services: Coverage will be ADS for IT-FO and branches in 24 countries. d. IT- Networking Department: Networking provided to IT-FO Department. e. Payment System Department: SWIFT Alliance Access applications and its hardware related to these 24 countries 3. Indicative list of Domains:

A. Information Security B. Recruitment & Training C. Logical Security D. Network Security E. Change Management F. Backup & Restoration Management G. Physical Security H. Environmental Controls I. Security Operations Centre


Controls to be tested: (These are minimum and will be finalised after discussion with the Auditor and IT-FO Dept.)

Control Objective A

- Information

Security:

Controls provide reasonable assurance that IT Infrastructure, applications and databases are protected from unauthorized network intrusions or access.

Department

Control Activity No.

Control Activity

A1

Updated and approved Information Security Policy exists for managing IT Infrastructure (i.e. servers, Operating Systems, network devices), applications and databases. The policies are reviewed by Information Security Department (ISD) and approved by the Central Board.

ISD

A2

IT infrastructure, applications and databases are hardened for High Risk parameters as per the approved and latest Secure Configuration Documents (SCD) before introducing them in the production environment.

IT-FO

A3

Operating systems, applications are updated with latest patches/updates, which are deployed post testing in test environment after obtaining an approval from the authorized personnel from ITFO (Change Control Committee) in the HP Service Manager ticketing tool (for Windows & Unix) / in Change Request Form (for applications).

IT-FO

A4

Antivirus software has been installed on desktops and servers and the Antivirus server is configured to push the latest virus definition files at least once every day on desktops and servers. SBI- ITFO employees do not have rights to disable antivirus settings on their desktops or servers.

IT-FO

A5

Antivirus compliance report is prepared on a monthly basis to determine the virus definition file deployment compliance level. Further, relevant actions taken by Central Antivirus Team (CAT) are documented in case of any deviations.

PE-I

A6 Documented Risk Assessment by IT-FO and Cybersecurity program and Cybersecurity policies by ISD.

IT-FO ISD

A7 Policies and Procedure for submitting Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events.

IT-FO ISD

IT-RMD

A8

Effective continuous monitoring with the ability to continuously, on an ongoing basis, detect changes or activities within the Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity.

IT-FO

A9 Security Operations Center [SOC] monitoring report summary [monthly report] is available for servers [OS & Database] & Network for the applications in scope.

SOC IT-FO

A10 All applications must go through an Application security review and all Critical & High vulnerabilities identified should be remediated prior to being promoted to production.

ISD IT-FO

A11 All critical applications should be covered by an Application security review annually or whenever any changes are made, whichever is earlier.

ISD IT-FO


Control Objective B

- Recruitment & Training

Controls provide reasonable assurance that personnel policies promote the appropriate hiring and continued security awareness and training of resources.


Control Activity

B1 HR conducts police verification checks prior to recruitment of new employees in SBI-ITFO department.

IT-FO IT-HR

B2 All new hires sign "Declaration of Fidelity and Secrecy and Rules of Conduct" at the time of joining SBI-ITFO.

IT-FO IT-HR

B3

All SBI-ITFO employees undergo basic security awareness training on periodic basis conducted by the ISD. The ISD Team tracks the completion of basic security awareness training by employees.

ISD IT-FO

B4 HR conducts educational verification checks prior to recruitment of new employees in SBI-ITFO department.

IT-FO IT-HR

B5 HR conducts prior employment checks prior to recruitment of new employees in SBI-ITFO department. This is being done centrally at the time of recruitment into the organization.

IT-FO IT-HR

Control Objective C

- Logical Security

Controls provide reasonable assurance that logical access to IT applications is restricted to authorized individuals only


Control Activity

C1

Updated and approved user access and password management policy and procedure documents exist to govern the logical access to IT Infrastructure (i.e. servers, Operating Systems and network devices), applications and databases. These documents are reviewed by Information Security Department and approved by the Information Security Committee and Central Board of State Bank of India.

IT-FO ISD

C2

For creating a new user ID/user access modification/ user deletion on Windows & Unix servers and the Cisco ACS, the User Access Request/ Access Modification Request / Access Deletion Request hard copy form is filled by Branch Manager/ Application Owner/ Department Head. This form is then approved by State Bank of India DC in-charge and DXC’s Accounts Service Delivery Manager (“ASDM”) based on which authorized users from DXC / Dimension Data Team will create/delete/modify the user ID on Windows & Unix servers and Cisco ACS.

IT-FO

C3

Initial password is communicated to the new users created on Windows & Unix servers by the HP Team and the Dimension Data team for new users created on Cisco ACS. The initial password is communicated via call / email post establishment of user identity. Users are required to change passwords after first logon.

IT-FO

C4

Privileged user IDs on Windows & Unix servers and Cisco ACS are created by the HP / Dimension Data Team based on an approval by State Bank of India's DC in charge and HP ASDM prior to the creation of these IDs. In case of

IT-FO


separations/transfers, the IDs are deleted on the employee’s last working day in SBI- ITFO.

C5

State Bank of India’s SCD defines the following password and account lockout parameters to be configured for the SBI managed IT infrastructure (Operating Systems, applications, databases and network devices): • Minimum password length – Eight characters (Seven Character for Unix OS) • Password complexity enabled • Expire in 90 days • Password history: Five passwords remembered (10 passwords for Unix OS and Database) • Account lockout duration - 0 hours (1000hrs for Database) (Not applicable for Application, Unix OS and Network Devices) • Account lockout threshold - Three invalid attempts (10 invalid attempts for Unix OS) (5 invalid attempts for Database) Reset account lockout counter after - 1440 minutes (only administrator can unlock user account)

IT-FO

C6

Critical applications and IT systems are configured to timeout as per SCD: • Ten minutes of user inactivity for network devices; and • Five to thirty minutes of user inactivity for Windows and Unix Servers, Finacle Core, Finacle Treasury, and network devices. The above configurations require the user to enter the password again.

IT-FO

C7 All generic / vendor provided administrator accounts in Windows server, Unix server and network devices are renamed, and other default accounts are disabled.

IT-FO

C8

On a quarterly basis, a listing of user ID’s in Finacle Core, Finacle Treasury applications and databases, Windows and Unix servers and Cisco ACS for Network Devices used by the SBI ITFO department are sent by the system officials to respective Application Owner/SBI DC in charge/HP ASDM/SBI’s IT Networking Department Head for their review and approval. Relevant actions are taken based on the review results by system officials in case of any deviations.

IT-FO IT-NW

C9

Audit trail (Access and security logs) of Windows and Unix servers, applications, database and network devices are recorded and maintained. Logs are monitored through a tool on a real-time basis and exceptions identified are documented along with the action taken.

SOC IT-FO

C10

Track and maintain data logging of all privileged authorized user access actions taken during a privileged account session to critical systems database and operating systems. Periodically review such access privileges

SOC IT-FO

Control Objective D

Controls provide reasonable assurance that data communication through the network is secured and monitored


- Network Security


Control Activity

D1

Updated and approved network and perimeter security policy and procedure document exists. These documents are reviewed by Information Security Department and approved by the Information Security Committee of SBI.

ISD

D2

Changes to the firewall rule base follows change management process. Firewall rule base reviews are carried out by the IT-NW team on a periodic basis and relevant actions are taken by the ISD/IT-NW and Dimension Data Team from the review in case of noted deviations. Records of this activity are maintained by the IT-NW for future reference.

ISD IT-NW

D3 New user IDs in Cisco ACS server are created by Dimension Data Team only after obtaining approval from authorized personnel from SBI's IT Networking Department.

IT-NW

D4

Password and account lockout parameters in Cisco ACS servers are configured as per Network Device’s SCD. Additionally, SBI’s IT-Networking Department and Dimension Data Team ensure that IPS is updated with latest signatures as and when they are released by the vendor.

IT-NW

D5 Branch Access to Data Center and Disaster Recovery site is encrypted using IPSEC tunnelling.

ISD IT-FO

D6 Separate VLANs are configured for servers in DC and DR in State Bank of India. Inter-VLAN communication is disabled.

IT-NW IT-FO

D7

Multiple links have been taken from multiple service providers through multiple routes to avoid a single point of failure impacting the applications connectivity from DC and DR sites with the Foreign Office.

IT-NW IT-FO

D8

Logging is enabled on Network Devices. Firewall and IPS logs are monitored by SOC to identify, High, Medium and Low threats detected by IPS; IPS threat report; and Top 10 Firewall denied events for internal and external traffic. Any action taken on exceptions are documented and maintained.

IT-NW SOC IT-FO

D9 Annual vulnerability assessments performed SOC IT-FO

D10 Annual penetration tests SOC IT-FO

D11 The separation of the corporate internal network on a different network segment fire walled away from the Finacle core, Finacle treasury and E-Trade database servers.

IT-NW IT-FO

D12 Firewall Rules in place for the database to specifically limit who can connect to the database.

IT-FO

Control Objective E -

Change Managemen

t

Controls provide reasonable assurance that changes to IT applications are recorded, analyzed, tracked, approved and tested before implementation on production environment. Controls also provide reasonable assurance that emergency changes are implemented and approved as per the documented process


Control Activity


E1

Updated and approved Change management policy and procedures exist for IT infrastructure (i.e. servers, Operating Systems and network devices, applications and databases). These documents are reviewed by Information Security Department and approved by the Information Security Committee of SBI.

ISD IT-FO

E2 All changes are approved by the AGM DC in-charge / AGM ITFO and tested in the test environment prior to implementing in the production environment.

IT-FO

E3 Test, development and production environments are logically segregated.

IT-FO

E4 Implementation plan, test plan, test /UAT result, implementation steps and remediation/back-out plan are documented in CRF / CR ticket in ticketing tool.

IT-FO

E5

AGM - Systems / AGM ITFO / Chief Manager - Systems communicates application / database / Windows and Unix servers / network devices related change reports (including emergency changes) to Deputy General Manager - ITFO on a monthly basis.

IT-FO

E6

Emergency changes are logged in the Change Request form by authorized users and approved by AGM DC in charge / AGM ITFO within 5 working days from the implementation date.

IT-FO

Control Objective F - Backup and Restoration Managemen

t

Controls provide reasonable assurance that the data is backed up at pre-defined intervals and as per the established backup procedures. Controls also provide reasonable assurance that adequate Disaster Recovery plans and procedures are documented and tested for critical systems


Control Activity

F1

Updated and approved policy and procedures exist for backup and DR management. These documents are reviewed by Information Security Department and approved by the Information Security Committee of State Bank of India.

ISD IT-RMD IT-FO

F2 Full daily / weekly / monthly backup of Windows and Unix servers, applications and database are taken using HP Data Protector backup tool on daily / weekly / monthly basis.

IT-FO

F3

Backup failure instances or backup skipped instances are identified by the HP Team and reported to AGM DC in-charge of SBI's ITFO department. Failed backup jobs, if any, are re-initiated and backup is completed successfully using either DC or DR setup.

IT-FO

F4 Recovery testing of randomly selected samples of the backup tapes is conducted on a monthly basis. Results of recovery testing are recorded and maintained.

IT-FO

F5 Access to backup media placed in fire-proof cabinet is restricted to specified responsible individuals.

IT-FO

F6

DR plan is documented for critical applications along with required procedures and work instructions. DR Plan is reviewed at least annually and/or as and when modifications are identified during the DR tests.

IT-FO

F7 DR plans for critical applications and databases are tested annually for DR readiness.

IT-FO


Control Objective G - Physical Security

Controls provide reasonable assurance that physical access to Data Center and Disaster Recovery site is restricted to authorized personnel


Control Activity

G1

Updated and approved policy and procedures exist for managing physical and environmental security for DC and DR sites. These documents are reviewed by Information Security Department and approved by the Information Security Committee of State Bank of India.

ISD DC&CS IT-FO

G2 Entry and exit points of DC and DR site are controlled by proximity card and biometric access control system.

DC&CS

G3 Security guards are stationed at the entry and exit points within the DC and DR sites.

DC&CS

G4

Security guards ensure that the details of the visitors or vendors such as name of visitor or vendor and ID card number, company name and address, contact details, contact person, purpose of visit, date, entry & exit time, and details of IT equipment (Laptop, Compact Disc, and other electronic media/ devices) in possession are recorded in the visitor register maintained at the reception for permitting entry within the DC and DR site. Additionally, details of asset being taken inside the DC / DR site are recorded in inward register by the Security guard.

DC&CS IT-FO

G5

Closed Circuit Television (“CCTV”) surveillance equipment is used to monitor the critically identified points within DC and DR sites. The CCTV digital feeds are stored and retained for a minimum period of 15 days. Recordings are reviewed by the Admin Manager on a daily basis and the exceptions are recorded in CCTV review register and reported to the Facility Manager. CCTV performance is checked online, and the findings are logged into the CCTV breakdown register on a daily basis.

DC&CS

G6

Any material transported out of the DC and the DR site is accompanied with an Asset Movement Form authorized by the Application Owner / Department Head and CM / AGM (BCM - DC / DR).

DC&CS

G7

Access to DC and DR sites are restricted to authorized individuals. Depending on the access required, employee, visitor or vendor has to submit details in a temporary / permanent access request form to the Administration Team at the DC / DR. After reviewing the details filled in temporary / permanent access request forms, the form is approved by Data Center Manager.

DC&CS

G8

Loss of access card requires to be immediately reported to the CM / AGM (BCM - DC / DR) through e-mail or by a letter. Upon receiving the intimation from the CM / AGM (BCM - DC / DR), the card is blocked immediately by the Administration Team of DC / DR site.

DC&CS IT-FO

G9 Administration team at respective locations disable employee access to DC and DR site based on access revocation form received from the authorized personnel from respective

DC&CS IT-FO


department for transferred/resigned/terminated/ absconded employees.

Control Objective H

- Environmental Controls

Controls provide reasonable assurance that environmental safeguards have been implemented within the Data Center and Disaster Recovery site.


Control Activity

H1

FM 200 fire suppression systems, portable fire extinguishers and smoke detectors are installed within the DC and DR sites. Maintenance activities for these equipments along with access control systems are carried out by the equipment vendors on a periodic basis or as recommended by the vendor / manufacturer.

DC&CS F&OA

H2

Fire drills are carried out on a yearly basis to create user awareness on the actions to be followed in an event of fire outbreak. The F&OA Department maintains fire drill records for future reference.

F&OA

H3

UPS systems and DG sets are installed to ensure continuous availability of power. Maintenance activities including regular testing for adequacy of load and operational effectiveness of the UPS and DG are performed by the respective vendors on a monthly / quarterly basis.

F&OA DC&CS

H4 Temperature and Humidity monitoring equipment is installed within the DC and DR sites and is monitored by the Administration Team.

DC&CS

H5 UPS Battery banks should be stored in a physically isolated location away from the Data center or were any of the personnel are stationed.

F&OA DC&CS

H6 Raised flooring should be provided in the Data Center and the Disaster Recovery site.

DC&CS

H7 Redundant precision Air-conditioning units should be installed in the Data center and the Disaster Recovery site.

DC&CS

Control Objective I –

Security Operations

Centre

An independent security program review that can assess security risk and overall maturity of the security function for Finacle Core, Finacle Treasury and E-Trade


Control Activity

I1 SOC Policies and Procedure for submitting Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events

SOC IT-FO

I2 Track and maintain data logging of all privileged authorized user access actions taken during a privileged account session to critical systems database and operating systems

SOC IT-FO

I3 Design to confirm that all audit and system logs are moved to the SIEM tool.

SOC IT-FO

I4

Effective continuous monitoring with the ability to continuously, on an ongoing basis, detect changes or activities within the Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity.

SOC IT-FO


I5 All identified incidents are analyzed, responded and closed in a prioritized manner

SOC IT-FO

I6

Security Operations Center [SOC] monitoring report summary [monthly report] if available for servers [OS & Database] & Network for the Finacle Core, Finacle Treasury, E-trade applications.

SOC IT-FO

I7

Monitor data logging of all privileged authorized user access actions taken during a privileged account session to critical systems database and operating systems. Review such user access privileges

SOC PE-II IT-FO


D. Assessment of SWIFT Infrastructure against SWIFT Customer Security Controls Framework (CSCF) V2020

Scope and requirement of Assessment:

i. Entity: SWIFT Operations Centre, Payment Systems Dept., GITC, Navi Mumbai.

ii. Scope: Detailed scope is as per Annexure-A. Assessment of compliance of 31 Controls (Mandatory 21 and Advisory 10) specified in SWIFT’s Customer Security Control Framework v2020. List of 31 controls are given in Annexure-B.

iii. Deliverables: To deliver a report that sets out the compliance status against each of the CSCF mandatory & advisory controls. a. Assessment Templates (two excel files attached) duly completed in all respect. b. Completion letter in the format of SWIFT (given in the assessment template) c. Compliance Review after submission of compliance to original observation and submission of Compliance Review Report.

iv. Duration of Assessment: One month from the Purchase Order. Compliance Review to be completed within 15 days from the date of receipt of Compliance report. In all the final report after compliance review to be released on or before 20th November, 2020.

v. Qualified Auditors: The firm must have recent (within twelve months) and relevant experience to execute a cybersecurity-oriented assessment to an industry standard such as PCI DSS, ISO 27001, NIST SP 800-53, or the NIST Cybersecurity Framework. The individual Auditors who will be conducting Assessment will be shortlisted by us before commencement of Assessment on the basis of their experience and qualification. The individuals should hold at least one industry-relevant professional certification e.g.:

• PCI Qualified Security Assessor (QSA)

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• Certified Information Security Manager (CISM)

• ISO 27001 Lead Auditor

• System Administration, Networking, and Security Institute (SANS)


Annexure-II

Indicative Commercial Bid format

Name of Audit No. of Man-days

Indicative Commercial Bid in Rupees (Exclusive of GST)

A. IS Audit of IT Departments:

CB DEV ₹

CB Tech Ops ₹

DC & CS ₹

EIS ₹

ePay & PG ₹

INB ₹

IT ATM ₹

IT FO ₹

IT Networking & Communications ₹

IT Trade finance ₹

Mobile Banking ₹

Payment Systems ₹

Special Projects I ₹

Special Projects II ₹

Security Operations Centre ₹

System & App Audit of UPI ₹

Special Audit of CCDP ₹

B. Independent Assurance on

Bank’s IS Audit function

₹

C. Dual Standard Audit (SSAE18 &

ISAE3402) for 24 countries

₹

D. Assessment of SWIFT Infrastructure against SWIFT CSCF V2020

₹


Annexure-A

SCOPE for CSP Assessment of SWIFT

SWIFT has published SWIFT Customer Security Control Framework V2020 (CSCF

V2020) and mandated assessment of SBI’s SWIFT Operations Centre against each

of the 31 controls and objectives (Annexure-B)

2. SBI has implemented A1 type Architecture, hence all 31 control objectives are

applicable.

3. Two Assessment Templates (excel files) are provided by SWIFT. One for Advisory

controls (2020 v3) and another for Mandatory controls (2020 v3). These templates will

have to be used for Assessment and remarks to be mentioned therein. In addition to

these templates, a separate report may also be prepared giving summary and detailed

observations, if any.

4. A suitable completion letter (as provided in the above templates) need to be signed

by you on the company’s letter head after completion of the Assessment for

submission to SWIFT.

5. Assessment will be conducted as per SWIFT’s Customer Security Programme

Independent Assessment Framework dated 4th July, 2019.

6. SBI is having 30 BICs (Business Identifier Code) (Domestic as well as Foreign

Offices) and all BICs are hosted in the SWIFT infrastructure hosted at Payment

Systems Department, GITC, Navi Mumbai. All associated BIC would be attested under

Architecture Type B – Branch connecting to central SWIFT hub infrastructure.

7. The Assessment, at a minimum, encompass all in-scope components of SBI’s

SWIFT infrastructure as documented in CSCF. These include the following basic

systems, operators and devices:

• Data Exchange Layer

• Local SWIFT Infrastructure

o Secure Zone

o Messaging Interface

o Communication Interface

o SWIFTNet Link (SNL)

o Connector

o SWIFT Hardware Security Modules (HSMs)

o Firewalls, routers and switches within or surrounding the SWIFT

infrastructure

o Graphical User Interface (GUI)

• Operators and their PCs

The assessment should confirm the architecture type selected and encompass all

production, disaster recovery (DR), and/or backup environments (as applicable) that

house any of the above systems, operators or devices. The infrastructure consists of

12 servers, 5 Desktops and 5 HSM Boxes.


Annexure-B

Controls as per SWIFT CSCF V2020

Sl. No.

Description No.* Control Description Area

I Restrict Internet Access & Protect Critical Systems from General IT Environment

1 1.1 SWIFT Environment Protection

2 1.2 Operating System Privileged Account Control

3 1.3 Virtualisation Platform Protection

4 1.4A Restriction of Internet Access

II Reduce Attack Surface and Vulnerabilities

5 2.1 Internal Data Flow Security

6 2.2 Security Updates

7 2.3 System Hardening

8 2.4A Back-office Data Flow Security

9 2.5A External Transmission Data Protection

10 2.6 Operator Session Confidentiality and Integrity

11 2.7 Vulnerability Scanning

12 2.8A Critical Activity Outsourcing

13 2.9A Transaction Business Controls

14 2.10 Application Hardening

15 2.11A RMA Business Controls

III Physically Secure the Environment

16 3.1 Physical Security

IV Prevent Compromise of Credentials

17 4.1 Password Policy

18 4.2 Multi-factor Authentication

V Manage Identities and Segregate Privileges

19 5.1 Logical Access Control

20 5.2 Token Management

21 5.3A Personnel Vetting Process

22 5.4 Physical and Logical Password Storage

VI Detect Anomalous Activity to Systems or Transaction Records

23 6.1 Malware Protection

24 6.2 Software Integrity

25 6.3 Database Integrity

26 6.4 Logging and Monitoring

27 6.5A Intrusion Detection

VII Plan for Incident Response and Information Sharing

28 7.1 Cyber Incident Response Planning

29 7.2 Security Training and Awareness

30 7.3A Penetration Testing

31 7.4A Scenario Risk Assessment

*A denotes Advisory (10) and others are Mandatory (21).

STATE BANK OF INDIA INTERNAL AUDIT DEPARTMENT, … · 2020. 10. 4. · 16 System & Application...

Documents

Transcript of STATE BANK OF INDIA INTERNAL AUDIT DEPARTMENT, … · 2020. 10. 4. · 16 System & Application...