Nepal Rastra Bank - Information Technology Note

Details
Written by: Administrator
Category: IT notes for non-technical Post

Keywords: CIA principle, Roy Tomlinson, Linux Torvalds, public network, business continuity, Unix like, Unix Code.

4.1 Nepal Rastra Bank – IT Guidelines and IT code of conduct

Why this guideline?

Today, many business use ICT to increase their business efficiency . Therefore, to make such Information technology (IT) safe, secure, efficient, reliable this guidelines is formulated.

This guideline is guiding bank and financial institution on: technology change, migration of data, to maintain internal control system, limiting access to system and data, securing electronic transaction, meeting legal requirements, manage outsourcing etc. This guideline points out vulnerable areas such as: ATM, cards, internet and mobile banking and data center, virtualization and disaster recovery when incorporating ICT in service delivery.

This guidelines outlines as cyber fraud as new crime area from both external and internal parties.

Who should follow this guideline?

All bank and financial institutions (BFIs) must follow this guideline to make BFIs system secure, reliable, available and business continuity of banks. BFIs must comply this guideline by 2 years after promulgation. 

How many areas and sector indicated in guidelines?

There are 10 sectors mentioned in this guideline, which are:

  • IT governance: Bank should have IT policy and strategy, organization setup of IT, banks are encouraged to implement international IT control framework COBIT, bank should designate information security officer
  • Information security: Follow "need to know" and "least privilege" policy in IT systems. Banks should use strong cryptography and encryption during transactions and firewall rules. Security of ATM, generation of ATM cards are mentioned.
  • Information security education: Education to employees, vendor and customers.
  •      Information disclosure and grievance handling: Banks should make informed about privacy policy, security policy, fee of using IT systems.
  •      Outsourcing management: Outsourcing means hiring services from external vendors, parties if expertise is not available within organization.
  •      IT operations: IT works such as security system installing, changing parameters, setup of master keys should be done in joint custody. Change management process must be carried out for such that changes are recorded, assessed, authorized, planned, tested. High availability of system infrastructure is required.
  •      Information systems acquisition, Development & implementation: User requirement, security requirements, performance and technical requirements must be approved by board.
  •      Business continuity and Disaster recovery planning: Natural calamities such as fire, earthquake, protest is unavoidable. So that, bank must have BCP policy and assign senior officer as head of BCP. BCP should be tested at least annually. Testing will be planned and unplanned. Bank must specify RTO and RPO. Bank should check integrity between data center and disaster recovery center periodically either End of the Day (EOD) or Beginning of the Day (BOD).
  •      IS audit and
  •      Fraud management: It is duty of commercial banks to inform NRB if any fraud is detected.

Extra note on guideline: CIA (confidentiality, integrity and availability) principle of information security (IS) is good to mention in exam paper. Hot site, warm site and cold site are mentioned in guidelines as separate places to store data and available of systems. Non repudiation is also other term that is required to understand which means the sender can't deny the transaction made in past. DDOS, Distributed Denial of service, means there is flood of request on server to provide service to user where server can't serve to its client.

Office system: There is office package developed by Microsoft. This package contains MS-word, MS-excel, MS PowerPoint, MS Visio, MS-access etc. It is not bespoke software (means non-custom software). Mail-merge (to send email or prepare document for large audience) in MS-word, pivot table (to summarize tabular information) in MS-excel are popular features which is best to know. Similarly, making catchy slides using animation (making objects activities different and variety within slide) and transition (between two slides) is also good to know. MS-access is used to store table information as by DBMS software. MS-Visio is used to create pictures/images with appropriate logos available in it.

Computer Operating System (Windows, LINUX, UNIX):

Background: First, let us understand what is an operating system (OS). Operating system is a software which manages resources for users to use computer. Manages resources means provide RAM for process to store code and data, provide CPU to execute the program, create a process itself, provide securities for users, manages secondary memories, securities, file management, communication etc. All of the work in computer are managed by OS. Users means not people but process.

Computer performs work based on instructions written in programs. A program becomes process when it is brought to RAM for execution.  

In market, we can find different OS such as Windows OS, Linux OS, Unix OS. It is important to understand that both windows OS and other OS provides support to users differently. There are few terms used in OS as follows:

  • Kernel: Kernel means core part of OS, it always resides in RAM. There are two terms monolithic and microkernel. Monolithic means all important process of OS such as IPC, scheduling, device drivers are in RAM. Thus, monolithic has less overhead and fast but contains large size in RAM. Microkernel holds just basic IPC and virtual memory. Thus, it is slow but it holds less space in RAM. Linux kernel is monolithic but Windows is hybrid.
  • Filesystems: Windows has like NTFS but Linux has like ext4. In Linux directory always starts from root.
  • Windows are mainly GUI based and for commonly for basic users. Linux is used especially in server, data centers.
  •  About licensing: Windows is paid but linux is open source.

Unix: Unix is also an operating system. Its OS version are mainly expensive. This OS is developed for specific device or hardware such as telecom, banking system. Linux is Unix-like (NOT unix code). Linux is developed by Linux Torvalds. Unix is developed at AT&T labs by Ken Thompson and Dennis Ritchie.

General Information of Database, IT Security

Database is an organized collection of data so data can be easily accessed, retrieved, stored and managed. The principles of DBMS are achieved using database management system (DBMS) software. Generally, in market MySQL, PostgreSQL, Oracle are widely used to provide above mentioned features.

Differences between Database and File System:

It is important to distinguish why database is different from file management system:

File System Database System
Doesn't support simultaneously access DBMS support simultaneous access of data
Role can't be create User role can be created
Indexing for fast search can't be achieved Indexing can be done so that data can be accessed fast
Relationship between data can't be made Relationship between data can be managed

Transaction must follow ACID property. 

  • Atomic: Either all operation or none.
  • Consistency: Database must be consistent before and after transaction.
  • Isolation: One transaction must be isolated from other transaction.
  • Durability: Database must remain valid even after media, software and system error. 

IT security: IT security is a broad concept. Information Technology equipment, software and network are areas in IT security. I want to introduce few areas to make IT secure which are as follows:

  • Equipment security: It is important to protect physical devices and components. There are common measures to protect it by hiring security guard to protect infrastructure premise, establishment of fire protection system, alerting mechanism for earthquake, safeguard from protest, smart-card entry etc.
  • Software security: Programs such as OS, applications must be secure from malicious software program. Anti-virus updated software, multi-factor authentication, passwords, encryption, SSL/TLS etc, backup facilities are tools to prevent such attack on software. 
  • Network security: It is necessary to protect network infrastructure from data theft, network congestion, data transmission, distributed denial of service. The ways to implement network securities are use of IPS, IDS, firewall, Virtual Private Network (VPN) etc. 

Concept of Internet, Intranet, Extranet, and e-mail:

Internet is a interconnected network of computing devices. It is a public network. It is a backbone to transmit the data from sender to receiver. Broadband transmission media offers high data rate for transmission of data. 

  • We use Internet for accessing web-based system through browser, for communication using messaging apps such as whatsapp and viber.
  • Similarly, corporate organization offers services 

Intranet: Intranet is private network or a small setup to isolate organization premise from outside networking world. Intranet can also support on many useful things for staffs such as printing on one printer by many users, file sharing within network, chat app for communication, private web application supposed to run withing organization. Intranet can is generally LAN network which can be setup through wi-fi or by ethernet cable using switch.

Extranet: If two or more different private networks which are geographically apart is required to connect through the use of internet as a backbone to transmit/receive data within only these private networks, it is achievable using VPN to realize as if they are in private network even if distant apart. Extranet provides security for data communication. In other part, to realize it we need to purchase extra software such as VPN software which can be costly.

Email: Electronic mail is powerful means of communication to share text, images and video. The backbone is internet. Technically, there will be SMTP server to uplink message from sender to sender server and forwarded to recipient server. Receiver will use POP or IMAP protocol to download the message from his server. In order to make electronic mail secure, confidential and integral. It is the job of service provider organization to install SSL/TLS certificates to make email service as genuine.

 

Important Information:

Full form of SMTP is: Simple Mail Transfer Protocol, POP is Post Office Protocol, IMAP is Internet Message Access Protocol.

E-mail was developed by: Ray Tomlinson in 1971.

ARPANET is early form of Internet.

Main Menu