Regulations for the Security of Internet BankingTable of ContentsPREFACE . 3DEFINITIONS. 41.SCOPE OF THE REGULATIONS . 62.INTERNET BANKING SECURITY FRAMEWORK . 62.1.Security Risk Assessment . 62.2.Security Controls Implementation . 72.2.1.Authentication Controls . 82.2.2.Security Controls for In-house Function . 82.2.3.Security Controls Implementation for Outsourced Functions: . 92.3.Security Controls Monitoring . 103.CUSTOMER AWARENESS . 114.REPORTING REQUIREMENTS . 115.REGULATORY REQUIREMENTS . 11Page 2 of 12

Regulations for the Security of Internet BankingPREFACEInternet Banking has become an important delivery channel for banking servicesenabling banks to offer traditional banking services like access to one or multipleaccounts for fund transfers, bill payments and card payments etc through internet. Thesecurity of Internet Banking has become a major concern for the regulatory authoritiesbecause of increasing IT security risks which may lead to serious financial andreputation risks in case of any major security breach. These regulations, therefore,would help banks in Pakistan to develop a formal Internet Banking SecurityFramework containing administrative, technical and physical safeguards based on bestinternational practices. The major components of the framework would be SecurityRisk Assessment (of threats, vulnerabilities to systems and customers information),Security Controls Implementation based on the Security Risk Assessment andSecurity Controls Monitoring. An effective customer awareness program is alsonecessary to mitigate the risks associated with Internet Banking. Banks, therefore, areencouraged to regularly update their customers about the identity theft and fraudtechniques, enabling them to identify these techniques and take appropriate preventivemeasures.Page 3 of 12

Regulations for the Security of Internet BankingDEFINITIONSAccess Device: means any device used by customers to access Internet Bankingservices.Customer: means a person that is maintaining an account with a bank and usingInternet Banking to access that account.Encryption: is a process of encoding information or data into a form called ciphertext, so that only authorized parties can read it.Identity Theft Prevention: is an arrangement developed and implemented in order toidentify, prevent and mitigate identity thefts in compliance with these regulations.Internet Banking: for the purpose of these regulations means electronic delivery ofbanking products and services like accessing accounts for fund transfers, utility billpayments and obtaining financial information, by the customers through internetirrespective of the access device used.Intrusion Detection System (IDS): means network security applications\applianceswhich monitor events occurring in a computer system or network in order to identifyviolations, malicious activity and suspicious patterns that may indicate a network orsystem attack from someone attempting to break into or compromise a system.Intrusion Prevention System (IPS): is an extension of IDS, which in addition toperforming intrusion detection also attempts to stop possible incidents.Least Privilege Principle: The principle that security architecture should be designedin a way that each entity is granted the minimum system resources and authorizationsneeded by the entity to perform its functions.Security Breach: is any incident that results in unauthorized access of systems,applications, data, services, networks and/or devices by bypassing their underlyingsecurity mechanisms.Security Controls: are formal arrangements made to avoid, counteract and minimizesecurity risks identified by the bank in its Security Risk Assessment exercise. Theseinclude preventive, detective and corrective arrangements to mitigate security risks toprotect bank’s assets.Security Objectives: Series of statements that describe bank’s intent to safeguarditself from internal or external threats. Security objectives for Internet Bankingprimarily consist of confidentiality of information, integrity and availability ofsystems.Page 4 of 12

Regulations for the Security of Internet BankingSecurity Framework: means documentation of management’s decision that describesthe detailed arrangements made for the protection of bank’s customers, IT andcommunication resources. Security framework contains operational, administrative,technical and physical safeguards to meet the security objectives outlined by the bank.Security Risk Assessment: is the process of identifying, estimating and prioritizinginternet security risks to which bank’s assets (customers, IT and communicationresources) are exposed.Service Providers (SPs): mean entities engaged byBanking related products and services. This mayapplications, hardware, communication, hosting,development and maintenance, digital certificationsupport banks’ Internet Banking related services.the bank for providing Internetinclude but is not limited tosecurity, monitoring, systemsservices, and call centers thatThreats: are circumstances/events with the potential to adversely impact theoperations of the bank and its assets.Traceability: means the ability to discover information related to an event happenedin a system by chronologically recording all related events in an unbroken manner touniquely identify parties involved in a verifiable way.Vulnerabilities: are the weaknesses in a system, or control gaps, if exploited, couldresult in the unauthorized disclosure, misuse, alteration, or destruction of informationor information systems.Page 5 of 12

Regulations for the Security of Internet Banking1. SCOPE OF THE REGULATIONSThese regulations are applicable to all banks in Pakistan providing financial and/ornon financial transactions through internet irrespective of software tool used by thebank and access devices used by its customers.2. INTERNET BANKING SECURITY FRAMEWORKBank shall develop, implement and regularly review Internet Banking SecurityFramework based on the following key security objectives:a) Security and integrity of data and systems, to ensure that customers’information has not been modified and systems are free from unauthorizedaccess;b) Confidentiality of customers’ data in storage, during processing and in transit;c) Reliability and availability of Internet Banking systems to provide promptaccess to systems for registered users and maintaining operationaleffectiveness;d) Accountability by designing SOPs, policies and controls to ensure traceabilityof all transactions;e) Proactive approach to detect unauthorized access and identification of potentialfraudulent transactions.While developing the Internet Banking Security Framework the bank should take intoaccount the complexity of systems, applications and products /services offered whileat the same time ensuring the ease of usage and customers’ convenience. Further theframework should clearly define the roles and responsibilities of Board of Directors(BODs), senior management and employees with regard to its approval, developmentand implementation. This Framework and any reviews thereafter should be dulyapproved by the BODs.The Internet Banking Security Framework shall include the following components: Security Risk Assessment Implementation of Security Controls and Monitoring of Security Controls2.1. Security Risk AssessmentThe bank shall conduct and document a formal Security Risk Assessment for InternetBanking with a view of identifying, estimating and prioritizing risks to which itsoperations are exposed due to Internet Banking. The BODs should review the riskassessment document and any reviews conducted thereafter.Page 6 of 12

Regulations for the Security of Internet BankingThe risk assessment shall cover at least the following aspects:a) A current and detailed description of bank’s business and technologyenvironment and existing security measures in place including identification oflocation, systems and methods for maintaining customers’ information;b) An identification of information and the information systems to be protected;c) Classification and ranking (high, medium, low) of the sensitive systems,payment data and applications in order of their importance and based on theassessment of threats and vulnerabilities;d) Assessment of potential threats and vulnerabilities to security and integrity ofcustomers’ information, payments data, IT systems and applications;e) Assessment of risks related to identity theft and identity fraud;f) An evaluation of existing Security Controls’ effectiveness against each threatand vulnerability;g) The security and contractual responsibilities of Service Providers (SPs),including customers who have access to the bank’s systems and data;h) Risks like Compliance, Concentration, Operational, Country and Legal shouldbe assessed by the banks before entering and while managing Internet Bankingoutsourcing arrangements with the SPs;i) Risk Assessment related to legal environment and bank’s responsibilities underSection 32 (Availability of Documentation and Proof), section 41 (Burden ofProof), Section 43 (Liability of banks/ Authorized Parties), section 70 (Secrecyand Privacy) and other relevant provisions of the Payment Systems andElectronic Fund Transfers Act 2007.The Security Risk Assessment should be reviewed at least once a year; however, incase of a major security breach, significant changes to the infrastructure andintroduction of a new product or service, an immediate review of risk assessmentshould be carried out. Further, in case of a major security breach, risk assessmentreview should include a detailed analysis of the factors that cause such securitybreaches.2.2. Security Controls ImplementationThe bank shall ensure that appropriate security arrangements and security controls toprotect IT assets (such as systems, applications, networks, data, and information andcommunication systems) are in place. Bank shall develop a set of controls based onthe Security Risk Assessment document, commensurate with the risk levels to meetthe control objectives.Bank shall define its set of minimum baseline Security Controls that include AccessControls (Access Rights Management, Electronic Authentication etc), NetworkAccess Controls, Operating System Access Controls, Application Access and RemotePage 7 of 12

Regulations for the Security of Internet BankingAccess Controls. Minimum Security Controls to be implemented by banks shouldinclude the following aspects:2.2.1. Authentication Controlsa) Registration/enrollment for Internet Banking customers should be doneprior to offering Internet Banking products and services after dueverification through appropriate means;b) In order to authenticate customers who use Internet Banking products andservices the bank shall implement at least Two Factor Authentication (2FA)such as Passwords ( 1 factor) and One time tokens, Dongles etc (2nd factor).c) Bank shall implement additional layered security programs for high valuetransactions processed through Internet Banking;d) Authentication controls should also take into account failed log-in attempts,frequency of password changes, session time outs and re-authentication ofcustomers based on predefined criteria;e) Bank shall conduct periodic risk assessment of authentication controls toidentify threats and vulnerabilities based on changes in applications’functionality, threats due to changes in internal and external environment,changes in customers’ preferences and actual security breaches;2.2.2. Security Controls for In-house FunctionsThe following controls shall apply on bank employees who are users of InternetBanking related systems:a) Access Rights Management: Users’ access rights should be appropriateand commensurate with their job functions and should be periodicallyreviewed keeping in view the risk ranking of the systems, data andapplications as outlined in Security Risk Assessment document. Changes inAccess Rights should be based on personal or systems change and shouldonly be applied after due authorization while ensuring properimplementation of “Least Privilege Principle”.b) Operating Systems Controls: Necessary Operating Systems’ controlsshould be implemented to ensure that access is physically and logicallysecured by ensuring that privileged access is restricted, regularly monitoredand periodically audited.c) Remote Access: Remote access to high risk IT assets shall only be grantedafter management’s approval in writing and should be subject to regularaudits. Remote access shall also be based on strong authentication andencryption to secure communications.d) Physical Access: Banks shall ensure that physical access to differentsystems, segments and data sites is restricted, regularly monitored and dulylogged.Page 8 of 12

Regulations for the Security of Internet Bankinge) IT Network Security: IT networks shall be secured thro