ENAT BANK S.

IT RISK MANAGEMENT PROCEDURE

(DRAFT)

February, 2020
 Table of Contents
LIST OF TABLES........................................................................................................................................... IV

ACRONYMS...................................................................................................................................................... V

TERMS AND DEFINITION........................................................................................................................... VI

1. INTRODUCTION..................................................................................................................................... 7

2. DEFINITION............................................................................................................................................ 8

3. PURPOSE OF IT RISK MANAGEMENT............................................................................................ 9

4. OBJECTIVES OF IT RISK MANAGEMENT....................................................................................11

5. ROLES AND RESPONSIBILITIES OF THE BANK ORGANS......................................................11

5.1. ROLES OF BOARD OF DIRECTORS (BOD)................................................................................11

5.2. ROLES OF SENIOR MANAGEMENT............................................................................................12

5.3. ROLES OF RISK AND COMPLIANCE MANAGEMENT DEPARTMENT..............................13

5.4. ROLES OF INFORMATION SYSTEM DEPARTMENT..............................................................13

5.5. ROLES OF INTERNAL AUDIT DEPARTMENT...........................................................................15

6. THE RISK-BASED APPROACH TO IT SECURITY.......................................................................16

6.1. PROTECTING IT DATA AND SYSTEMS...................................................................................................16

6.2. SECURITY THREATS TO IT DATA AND SYSTEMS.................................................................................16

6.3. MALWARE, VIRUSES, SPAM AND COOKIES..........................................................................................17

6.4. HACKERS, CYBERCRIME AND INFORMATION/IP THEFT.....................................................................17

6.5. SECURING COMPUTERS, SERVERS AND WIRELESS NETWORKS........................................................17

6.6. STEPS TO GUARD AGAINST EXTERNAL THREATS TO IT SYSTEMS.....................................................17

ii
7. INFORMATION TECHNOLOGY RISK MANAGEMENT................................................................18

7.1. RISK IDENTIFICATION......................................................................................................................22

7.2. RISK ASSESSMENT..........................................................................................................................28

7.3. RISK MEASUREMENT.....................................................................................................................30

7.4. RISK MITIGATION.............................................................................................................................31

8. IT TRAINING FOR STAFF.................................................................................................................. 41

9. REPORTING........................................................................................................................................... 41

10. AMENDMENT TO THE PROCEDURE......................................................................................... 41

11. EFFECTIVE DATE........................................................................................................................... 42

ANNEX 1: DATA REPORTING FORMAT ON IT RISK EVENT......................................................................................43

ANNEX 2.1: INCIDENT REPORTING TEMPLATE...................................................................................................... 44

ANNEX 2.2: SUSPICIOUS ACTIVITIES AND INCIDENTS OF FRAUD REPORT..............................................................46

iii
 LIST OF TABLES

TABLE 1 IT RISK INDICATORS......................................................................................................................................20

TABLE 2 RISK SCORE.................................................................................................................................................26
TABLE 3 RISK ASSESSMENT METHODOLOGY............................................................................................................29

iv
ACRONYMS

ATM Automatic Teller Machine

BOD Board Of Directors

DES Data Encryption Standard

DAC Discretionary Access Control

ICT Information Communication Technology

INSA Information Network Security Agency

IT Information Technology

KRI Key Risk Indicator

MAC Mandatory Access Control

MD4/MD5 Message-Digest 4/Message-Digest 5 Algorithm

NBE National Bank of Ethiopia

PC Personal Computer

POS Point Of Sale

RSA Rivest–Shamir–Adleman Algorithm

SLA Service Level Agreement

v
TERMS AND DEFINITION

 Cryptography: - Cryptography is the science of protecting information by

transforming it into a secure format. It focuses on transforming data into
formats that cannot be recognized by unauthorized users. This process is
called encryption. Cryptography is used to protect digital data.

 Internet Protocol Security (IPsec):- is a set of protocols that provides

security for Internet Protocol. It can use cryptography to provide security.
IPsec can be used for the setting up of virtual private networks (VPNs) in
a secure manner.

 Non-Repudiation:- Nonrepudiation is a method of guaranteeing message

transmission between parties via digital signature and/or encryption. It is
one of the five pillars of information assurance (IA). The other four are
availability, integrity, confidentiality and authentication. Nonrepudiation
is often used for digital contracts, signatures and email messages.

 Server: - A server is a computer that provides data to other computers.

Many types of servers exist, including web servers, mail servers, and file
servers. Each type runs software specific to the purpose of the server.

 Virtual Private Network (VPN): - is an encrypted connection over the

internet from a device to a network. The encrypted connection helps
ensure that sensitive data is safely transmitted. It prevents unauthorized
people from spying on the traffic and allows the user to conduct work
remotely. VPN technology is widely used in corporate environments.

vi
1. INTRODUCTION

The availability of sophisticated computer technology in recent years has been

instrumental in developing many new financial instruments. Technology has
improved the quality of and access to information and this in turn has
increased the efficiency and liquidity of related secondary markets.

Modeling and analytical tools that are supported with timely and accurate
information and that are internally consistent provide the technical support
necessary to conduct transactions and make decisions. In addition,
sophisticated computer programs have enabled the simultaneous processing
and risk evaluation of transactions, providing bank management and staff
with the information needed to understand in real time the exact nature of
risk.

An effective IT risk management process is an important component of a

successful IT security program. The principal goal of a bank’s IT risk
management process should be to protect the Bank and its ability to perform
its mission, not just its IT assets. Therefore, the risk management process
should not be treated primarily as a technical function carried out by the IT
and risk management experts who operate and manage the IT risk system,
but as an essential management function of the Bank.

As individuals, banks, corporations, and economy grow increasingly

dependent on the internet and IT systems, the risks in these systems become
far more visible and significant. Breaches or failures of information systems
cause serious business crises, including reputation damage caused by identify
theft, business losses stemming from system failures and regulatory
restrictions arising from compliance issues.

It is essential that banking corporations have a comprehensive risk

management process in place that effectively identifies, measures, monitors
and controls IT Risk exposures, and that is subject to appropriate board and
senior management oversight.
7
Hence, understanding this reality and the direction given by NBE, the Bank
has attempted to develop this IT Risk Management Procedure to be introduce
and implement in the Bank.

2. DEFINITION

IT risk is any potential adverse outcome, impairment, loss, violation, failure or

disruption in the performance of business functions or processes due to the
use of or reliance on technology. Exposure to this risk can result from among
others, systems flaws, software defects and network vulnerabilities.

IT risk is business risk – specifically, the business risk associated with the
use, ownership, operation, involvement, influence and adoption of IT within
an enterprise. It consists of IT-related events and conditions that could
potentially impact the business. It can occur with both uncertain frequency
and magnitude, and it creates challenges in meeting strategic goals and
objectives. IT risk can be categorized in different ways:

• IT benefit/value enablement risk – associated with (missed)

opportunities to use technology to improve efficiency or
effectiveness of business processes, or as an enabler for new
business initiatives;

• IT program and project delivery risk – associated with the contribution of

IT to new or improved business solutions, usually in the form of projects
and programs;

• IT operations and service delivery risk – associated with all aspects of the
performance of IT systems and services, which can bring destruction or
reduction of value to the enterprise.

IT risk always exists, whether or not it is detected or recognized by the Bank.

In this context, it is important to identify and manage potentially significant IT
risk issues, as opposed to every risk issue, as the latter may not be cost
effective.

Page 8 of 48
3. PURPOSE OF IT RISK MANAGEMENT

This document sets out the minimum IT risk management procedures that
Enat Bank needs to have in place and apply within its Bank wide
Comprehensive Risk Management Program and the minimum criteria it
should use to prudently manage and control its exposure to IT risk.

Risk is the net negative impact of the exercise of vulnerability, considering

both the probability and the impact of occurrence. Risk management is the
process of identifying risk, assessing risk, and taking steps to reduce risk to
an acceptable level. This guiding principle provides a foundation for the
development of an effective risk management program, containing both the
definitions and the practical guidance necessary for assessing and mitigating
risks identified within IT systems. The ultimate goal is to help the Bank to
manage IT-related mission risks.

IT risk management system explains IT risk and enables users to:

• Integrate the management of IT risk into the overall Bank environment, thus
allowing the Bank to make risk-return-aware decisions;

• Make well-informed decisions about the extent of the risk, and the risk
appetite and the risk tolerance of the enterprise;

• Understand how to respond to information technology risks either concern

the potential loss of information and its recovery, or concern the ongoing
usage of information. These fall into the following categories:

Security: Risk that information is altered or used by non-authorized people.

This includes computer crimes, internal breaches and cyber-terrorism.

Availability: Risk that data is not accessible, such as after a system failure,

due to human error, configuration changes, lack of redundancy in
architectures or other causes.

Page 9 of 48
Recoverability: The risk that necessary information cannot be recovered in
sufficient time after a security or availability incident such as hardware
and/or software failure, external threats or natural disasters.

Performance: The risk that information is not provided when it is needed

thanks to distributed architectures, peak demand and heterogeneity in the IT
landscape.

Scalability: The risk that business growth, provisioning bottlenecks and solid

architectures make it impossible to handle major new applications and
businesses cost effectively.

Compliance: Risk that the management or usage of information violates

regulatory requirements. The culprits here include government regulations,
corporate governance guidelines and internal policies.

Going from current to best-practice IT risk assurance could yield substantial

improvements to the Banks value. To do this, managements should:

 Develop an awareness of the nature of the different IT risks to the

business;

 Quantify the impact to their business resulting from the loss of information
or access to applications;

 Understand the range of tools available to manage IT risks;

 Align the costs of IT risk management to the business value; and

 Build a systematic, corporate capability to manage security risk.

4. OBJECTIVES OF IT RISK MANAGEMENT

The objective of performing risk management is to enable the Bank to

accomplish its mission and vision by-

Page 10 of 48
 Better securing the IT systems that store, process, or transmit the Bank
information;

 Enabling management to make well-informed risk management decisions

to justify the expenditures that are part of an IT budget; and

 Assisting management in authorizing (or accrediting) the IT systems on the

basis of the supporting documentation resulting from the performance of
risk management.

5. ROLES AND RESPONSIBILITIES OF THE BANK ORGANS

5.1. ROLES OF BOARD OF DIRECTORS (BoD)

The Board of Directors of the Bank have the following responsibilities with
respect to the management of information technology risk:

 Ensure that the Bank has in place an appropriate ICT governance

structure and risk management framework which suits its own
circumstances, business needs and risk tolerance;

 Periodically review the alignment of ICT strategy with the overall business
strategies and significant policies of the Bank;

 Approve ICT risk management strategies and policies;

 Set high ethical and integrity standards, and establish a culture within the
Bank that emphasizes and demonstrates to all levels of personnel the
importance of ICT risk management;

 Establish an ICT steering committee which consists of representatives from

Executive Management, the ICT function, and major business units, to
oversee these responsibilities and report the effectiveness of strategic ICT
planning, the ICT budget and actual expenditure, and the overall ICT

Page 11 of 48
 performance to the board of directors and execute management
periodically;

 Ensure that an effective internal audit of the ICT risk management is

carried out by operationally independent, well-trained and qualified staff,
which report should be submitted to the audit committee;

 Ensure the appropriation of funding necessary for ICT risk management

function;

 Understand the major ICT risks inherent in the Bank’s business, setting
acceptable levels for these risks, and ensuring the implementation of the
measures necessary to identify measure, monitor and control these risks.

5.2. ROLES OF EXCUTIVE MANAGEMENT

The following are key responsibilities of executive management team with

regards to IT risk management:

 Ensuring that all employees of the Bank fully understand and adhere to
the IT risk management policies and procedures approved by the board of
directors and the executive management team, and are provided with
pertinent training.

 Ensuring customer information, financial information, product information

and core banking system of the legal entity are held in a secure
environment.

 Reporting in a timely manner any significant adverse incidents of

information and communication systems or unexpected events, and how
they have been handled.

 Cooperating with the surveillance of the risk management of information

systems, and ensure that supervisory opinions are followed up.

 Performing other related ICT risk management tasks.

Page 12 of 48
 5.3. ROLES OF RISK AND COMPLIANCE MANAGEMENT
DEPARTMENT

The Risk and Compliance Management Department shall:

 Develop, propose and review IT risk limit and tolerance;

 Review policy, procedure and guidelines in connection to the management

of the IT risk;

 Evaluate the business strategy on IT risk in light of inherent risks of the

Bank;

 Identify, measure, control and monitor the IT risks of the Bank and report
to the Board’s Risk and Compliance Sub-Committee;

 Monitor the approved limits and tolerances and report to the Board’s Risk
and Compliance Sub-Committee; and

 Shall ensure proper understanding and awareness is created on the

procedure by all performers of the IT process;

 Ensure maintain efficient integration of IT process with the conventional

bank core and support processes;

5.4. ROLES OF INFORMATION SYSTEM DEPARTMENT

The following are the responsibilities of the ISD:

 Play a direct role in key decisions for the business development involving
the use of IT in the Bank.

 Ensure that information systems meet the needs of the Bank, and the ICT
strategies, in particular information system development strategies, comply
with the overall business strategies and IT risk management policies of the
Bank.

Page 13 of 48
 Be responsible for the establishment of an effective and efficient IT
organization to carry out the IT functions of the Bank. These include the IT
budget and expenditure, IT risk management, IT policies, standards and
procedures, IT internal controls, professional development, IT project
initiatives, IT project management, information system maintenance and
upgrade, IT operations, IT infrastructure, Information security, disaster
recovery plan (DRP), IT outsourcing, and information system retirement.

 Ensure the effectiveness of IT risk management throughout the

organization including all branches.

 Organize professional trainings to improve technical proficiency of staff.

5.4.1. IT SECURITY PRACTITIONERS

IT security practitioners such as network, system, application, and database

administrators; computer specialists; security analysts; security consultants
are responsible for proper implementation of security requirements in their IT
systems. As changes occur in the existing IT system environment (e.g.,
expansion in network connectivity, changes to the existing infrastructure and
organizational policies, introduction of new technologies), the IT security
practitioners must support or use the risk management process to identify
and assess new potential risks and implement new security controls as needed
to safeguard their IT systems.

In addition the following are responsibilities of IT security practitioners:

 Access rights allocated and controlled according to the Bank’s stated

policy.

 Division of duties enforced through systems software and other

configuration controls.

 Intrusion and vulnerability assessment, prevention, and detection in place

and continuously monitored.

Page 14 of 48
 Intrusion testing performed on a regular basis.

 Encryption services applied where confidentiality is a stated requirement.

 Change management processes — including patch management in place to

ensure a tightly controlled process for applying all changes and Patches to
software, systems, network components, and data.

 Play a leading role in introducing an appropriate, structured methodology

to help identify, evaluate, and minimize risks to the IT systems that
support the Bank’s missions.

 Use of the IT systems and data according to the Bank’s policies, guidelines,
and rules of behavior is critical to mitigating risk and protecting the Bank’s
IT resources.

 To minimize risk to the IT systems, it is essential that system and

application users be provided with security awareness training. Therefore,
the IT security trainers or security/subject matter professionals must
understand the risk management process so that they can develop
appropriate training materials and incorporate risk assessment into
training programs to educate the end users.

5.5. ROLES OF INTERNAL AUDIT DEPARTMENT

The Internal Audit Department should:

 Ensure that it has the IT expertise to fulfill its engagements;

 Ensure whether IT risk management of the Bank sustains and supports

the Bank’s strategies and objectives;

 Ensure that the risk exposures relating to the Bank’s information systems
are properly identified and mitigation strategies are designed;

 Assess and ensure whether management is ‘treating’ IT risks with

adequate and effective controls;
Page 15 of 48
 Update its roles and responsibilities to support continuous improvement
and implementation of effective IT risk management;

 Provide assurance on the effectiveness of IT risk management

6. THE RISK-BASED APPROACH TO IT SECURITY

6.1. Protecting IT data and systems

Online security is vital to protect the Bank virtual assets (electronic data) and
IT systems.

Data protection and a secure online presence will build your customers' trust
and help you meet legal obligations, such as privacy laws.

IT data and systems are at risk of hacking, malware, viruses, spam and online
scams that may corrupt your hardware or allow criminals to steal private data.

Protection includes providing a secure site through a secure socket layer (SSL)
certificate, backing up data, authentication and use of passwords.

This guide explains how you can identify and protect your online systems
against external and internal threats, and how to put in place IT protection
policies and procedures.

6.2. Security threats to IT data and systems

Banks face many external and internal digital threats that can corrupt
hardware and compromise data. Your private data and intellectual property
could be used in e-crimes or fraud.

6.3. Malware, viruses, spam and cookies

Malicious software or malware spreads worms, viruses, Trojans and spyware

through:

 email attachments
 files on removable storage devices
 visits to infected websites.

Page 16 of 48
Hackers use malware to control your computer remotely, steal or destroy
information (including passwords), corrupt hardware and software, or spread
malware.

Spam or junk emails promote fake or non-existent products and services such
as get-rich-quick schemes, false prize or lottery wins, or fraudulent and poor-
quality goods.

Cookies track your website visits and can build a profile of your online
interests and buying habits, and report these details to third parties.

6.4. Hackers, cybercrime and information/IP theft

Sophisticated and complex e-crime includes the theft of information

or intellectual property, such as trademarks or customer credit card details.
Hackers illegally access your hardware and data to use information such as
credit card details for cyber fraud, and can corrupt or compromise your online
security.

6.5. Securing computers, servers and wireless networks

Proper online security can protect your business from internal threats, such
as staff who open email attachments infected with viruses, and external
threats, such as hackers who steal information and commit other cybercrimes.

6.6. Steps to guard against external threats to IT systems

 Install anti-virus and anti-spyware software, including spam filters, and

ensure they are turned on and updated regularly.
 Enable wireless or Wi-Fi network security and change the default
password immediately because most default passwords are well-known
to hackers.
 Install a software firewall, normally included in IT security bundles or
operating systems.
 Choose strong passwords involving a combination of numbers and
upper and lower case letters. Change passwords regularly.
 Back up data regularly and store copies of backups off-site.
 Allow only authorized staff to access IT data and systems.
 Put IT policies and procedures in place.
 Be careful about employees connecting portable devices to work
systems.

Page 17 of 48
  Be alert for spam claiming to be from 'trusted' email senders — for
example, banks do not do business by email.
 Think before opening attachments or sharing information to ensure data
protection.
 Store data carefully — choose who has access to it and decide what
devices you allow staff to connect to your network.
 Password protect your website so authentic users can access the site.

7. INFORMATION TECHNOLOGY RISK MANAGEMENT

IT risk management is the application of the principles of risk management to

an organization in order to manage the risks associated with the field. IT risk
management aims to manage the risks that come with the ownership,
involvement, operation, influence, adoption and use of IT as part of a larger
enterprise.

IT risk management is a component of a larger enterprise risk management

system. This encompasses not only the risks and negative effects of service
and operations that can degrade organizational value, but it also takes the
potential benefits of risky ventures into account.

As a general rule, risk is defined as the product of the likelihood of occurrence

and the impact an event could have. In IT, however, risk is defined as the
product of the asset value, the system's vulnerability to that risk and the
threat it poses for the Bank.

As illustrated in Error: Reference source not found below the general area
where risk can occur due to IT related failure along with possible key risk
indicators. Corresponding metrics is essential part of the table but requires
critical assessment of an IT environment.

Page 18 of 48
 Table 1 IT Risk Indicators

Risk Category Key Risk Indicator (KRI)

IT Governance Failure to clearly establish an IT strategic and

operational alignment with the Bank’s business
strategy.

Lack of well-established IT roadmap to make

measurable value delivery to business

Poor IT governance structure to make

accountable controls of resources, risk,
performance, and cost

IT Project Management Risks that may disrupt IT project and keep it

from a successful completion.

Project delays or failure

Completed projects short changing security and

controls

Failure to achieve business objectives.

Poor or inadequate vendor management.

Segregation of duties Failure to establish control processes that

effectively manage segregation of duties between
/Identity and Access
IT and the business.
Management

Asset Management Failure to control IT assets (hardware and

software)

IT Skills Lack of specialized skills to be successful in

performing many high-risk IT
activities/engagements

Integration The potential for integration of

Page 19 of 48
 departments/branches, processes, technology or
data to fail

Information Security Unable to protect the confidentiality, integrity,

and availability of information that is critical to
the Bank

Cyber security The possibility of external and/or internal

offenders stealing sensitive or confidential data of
the Bank

Availability Downtime of IT services due to different reasons

Single Point of A small component of a system that brings the

entire system down when it fails
Failure

Infrastructure Failures of basic services such as networks,

power and computing resources.

Facility Risks related to facilities such as data centers

Capacity/Performance Capacity management failures such as server

performance, an overloaded network connection
that causes inefficiencies such as process delay
or failures

Disaster Preparedness Inability to effectively recover systems and

and Recovery resume regular system performance in the event
of a disruption or disaster

Data Loss Loss of data that cannot be restored

Vendor The potential for an IT vendor to fail to meet their

obligations to the Bank

Partner Risks associated with technology partners such

as service providers like Ethio-Telecom,
Ethiopian Electric Utility etc.

Page 20 of 48
 Change Control A failure to control change to complex systems
including practices such as change management
and configuration management

Compliance Lack of compliance with laws and regulations,

industry standards, vendor requirements,
applicable internal policies and procedures, and
other stakeholders’ requirements, etc.

IT risks are managed according to the following steps:

 Identification: determination of all kinds of threats

 Assessment: each risk is discovered and assessed for severity

 Measurement: an evaluation of the possibility and magnitude of a risk

 Mitigation: countermeasures are put in place to reduce the impact of

particular risks

 Evaluation: at the end of a project, the effectiveness of any

countermeasures (along with their cost-effectiveness) is evaluated. Based
on the results, actions will be taken to improve, change or keep up with the
current plans.

7.1. RISK IDENTIFICATION

Risk identification entails the determination of all kinds of threats,

vulnerabilities and exposures present in the IT system configuration which is
made up of components such as internal and external networks, hardware,
software, applications, systems interfaces, operations and human elements.

Page 21 of 48
Security threats such as those manifested in denial of service attacks, internal
sabotage and malware infestation could cause severe disruption to the
operations of a Bank with consequential losses for all parties affected. Vigilant
monitoring of these mutating, growing risks is a crucial step in the risk
containment exercise.

Both threat-sources and threats must be identified. Threats should include

the threat source to ensure accurate assessment. Some common threat-
sources include:

 Natural Threats – floods, earthquakes, hurricanes.

 Human Threats – threats caused by human beings, including both

deliberate actions (network based attacks, virus infection, unauthorized
access), and unintentional (inadvertent data entry errors).

 Environmental Threats – power failure, pollution, chemicals, water

damage.

The risk management function in the Bank should compile a list of threats
that are present across the Bank and use this list as the basis for all risk
management activities.

7.1.1. IDENTIFICATION OF IMPACT OF RISK

7.1.2. Foreign Remittance

1. Money Transfer: Money remitter will be in a foreign country. He wishes
to remit money to another country. Money remitter has to deposit his
money with recognized bank or financial institutes. That recognized bank
or institute will give a PIN code to the remitter. Remitter will send a PIN
code to the money receiver in another country.
Money receiver has to go to the bank branch in the receiving country. He
has to submit the PIN code with the bank branch. Bank authorities will
check the PIN code.
Bank will record the receivers’ details NIC number, phone number and

Page 22 of 48
 residential address with his signature. If everything is correct, money
receiver has to fill the relevant slips to withdraw money. It gives higher risk
because when the PIN number is known by others it would generate
higher impact.
2. ATM System: when notes are too old ATM system cannot count these
notes accurately. ATM system can make counting errors. It gives higher
impact to the client due to the absence of reliability.
3. E-banking facilities: internet banking, mobile banking, SMS banking,
Teleline: This is the current and prospective risk to earnings and capital
arising from fraud, error, negligence and the inability to maintain expected
service levels. A high level of transaction risk may exist with Internet
banking products, because of the need to have sophisticated internal
controls and constant availability. Most Internet banking platforms are
based on new platforms which use complex interfaces to link with legacy
systems, thereby increasing risk of transaction errors. There is also a need
to ensure data integrity and nonrepudiation of transactions. Third-party
providers also increase transaction risks, since the Bank does not have full
control over a third party. Without seamless process and system
connections between the bank and the third party, it generates a higher
impact because of the technological failures and low level trust.

7.1.3. General Transaction

1. Power failures: It generates higher impact. When a bulk client comes
to the bank if power failed it disturbs the network system i.e. may be the
client cancelled the transaction and go.
2. Internet breakdown: All the transaction would be delayed due to the
non- connectivity with the central data base. It generates higher impact.
3. Human attacks: There are chances for robbery, etc. which generates
higher impacts.
4. Staff risk: Impact would be low risky.
5. Natural disaster: such as flood, earth quake It would be higher risky

Page 23 of 48
for the bank.
6. Foreign Exchange: This arises when assets in one currency are funded
by liabilities in another. Internet banking may encourage residents of other
countries to transact in their domestic currencies. Due to the ease and
lower cost of transacting, it may also lead customers to take speculative
positions in various currencies. Higher holdings and transactions in
nondomestic currencies increase foreign exchange risk. Impact would be
moderate due to the limitation of the central bank monitoring

Page 24 of 48
 Table 2 Risk Score

THREAT VULNERABILITY ASSET IMPACT LIKELIHOOD RISK CONTROL

RECOMMENDATIONS

System failure – Air-conditioning Servers All services(website, Current Potential Buy new air
overheating in system is old email etc)will be temperature in loss conditioner
critical
server room unavailable server is
high
high critical
High
high

Malicious human Firewall is Website Website resources Discovered Potential Monitor the
(interference) configured critical will be unavailable Distributed loss firewall
properly low critical Denial of Service
high High
medium

Natural disasters- Server room Servers All services will be low low No action needed
flooding High should be on
25
 safe area critical unavailable critical

low

Accidental human Permissions are Files on Critical data could Medium Low Continue
interference configured a file be lost but almost monitoring
accidental file properly; IT share certainly could be permissions
deletions High auditing medium restored from changes,
software is in backup. privileged users
place; backups and backups
Low
are taken
regularly low

Page 26 of 48
 7.2. RISK ASSESSMENT

To determine the likelihood of a future adverse event, threats to an IT

system must be assessed in conjunction with the potential vulnerabilities
and the controls in place for the IT system. Impact refers to the magnitude
of harm that could be caused by a threat’s exercise of vulnerability. The
level of impact is governed by the potential mission impacts and in turn
produces a relative value for the IT assets and resources affected (e.g., the
criticality and sensitivity of the IT system components and data).

A typical risk assessment methodology encompasses the following nine

primary steps;

 System Characterization

 Threat Identification

 Vulnerability Identification

 Control Analysis

 Likelihood Determination

 Impact Analysis

 Risk Determination

 Control Recommendations

 Results Documentation

27
shows a brief description of the nine steps in the risk assessment
methodology.

Table 3 Risk Assessment Methodology

Input Risk Assessment Output

Activities

Hardware Step 1. System System Boundary

Software Characterization System Functions
System interfaces System and Data
Criticality
Data and information
System and Data
People
Sensitivity
System mission

History of system attack, Step 2. Threat Threat Statement

Data from intelligence Identification
agencies, INSA, mass
media and other
governmental
organizations
Reports from prior risk Step 3. Vulnerability List of Vulnerabilities
and Potential
assessments Identification
Any audit comments
Security requirements
Security test results
Current controls Step 4. Control List of Current and
Analysis Planned Controls
Planned controls
Threat-source motivation Step 5. Likelihood Likelihood Rating
Threat capacity Determination
Nature of vulnerability
Current controls
Mission impact analysis Step 6.Impact Impact Rating

Page 28 of 48
 Asset criticality Analysis
assessment
Data criticality
Data sensitivity
Loss of Confidentiality,
Integrity and Availability

Likelihood of threat Step 7. Risk Risks and Associated

Determination Risk Levels
exploitation
Magnitude of impact
Adequacy of planned or
current
controls
Step 8.Control Recommended
Recommendations Controls
Step 9. Results Risk Assessment
Documentation Report

7.3. RISK MEASUREMENT

The Bank should put in place a set of ongoing risk measurement and
monitoring mechanisms, which should include:
 Pre and post-implementation review of IT projects

 Benchmarks for periodic review of system performance

 Reports of incidents and complaints about IT services

 Reports of internal audit, external audit

 Arrangement with vendors and business units for periodic review of

Service Level Agreements (SLA)

 The possible impact of new development of technology and new threats

to software deployed

Page 29 of 48
 Timely review of operational risk and management controls in operation
area

7.4. RISK MITIGATION

Risk mitigation involves prioritizing, evaluating, and implementing the

appropriate risk reducing controls recommended from the risk assessment
process.

Since the elimination of all risk is usually impractical, it is the responsibility

of executive management, and functional and business managers to use
the least-cost approach and implement the most appropriate controls to
decrease mission risk to an acceptable level, with minimal adverse impact
on the Bank resources and mission.

7.4.1. RISK MITIGATION OPTIONS

Generally, risk mitigation can be achieved through any of the following risk
mitigation options:-

 Risk assumption - accept the potential risk and continue operating the
IT system or to implement controls to lower the risk to an acceptable
level.

 Risk avoidance - avoid the risk by eliminating the risk cause and/or
consequence (e.g., decline certain functions of the system or shut down
the system when risks are identified).

 Risk limitation – limit the risk by implementing controls that minimize

the adverse impact of a threat’s exercising a vulnerability (e.g., use of
supporting, preventive, detective controls).

 Risk planning - manage risk by developing a risk mitigation plan that

prioritizes, implements, and maintains controls.

Page 30 of 48
 Research and acknowledgement - lower the risk of loss by
acknowledging the vulnerability or flaw and researching controls to
correct the vulnerability.

 Risk transference - transfer the risk by using other options to

compensate for the loss, such as purchasing insurance.

The Bank should therefore implement a comprehensive set of risk

mitigation measures complying with the IT risk management policies and
commensurate with the risk assessment of the Bank. At a minimum the
mitigation measures should include:

 A set of clearly documented IT risk policies, technical standards, and

operational procedures, which should be communicated to the staff
frequently and kept up to date in a timely manner.

 Areas of potential conflicts of interest should be identified, minimized,

and subject to careful independent monitoring. Also, it requires that an
appropriate control structure is setup to facilitate check and balance,
with control activities defined at every business level, which should
include:

 Top level reviews

 Controls over physical and logical access to data and system

 Access granted on need-to-know and least privilege basis

 A system of approvals and authorizations and

 A system of verification and reconciliation.

7.4.2. RISK MITIGATION STRATEGIES

When risks are identified and analyzed, it is not always appropriate to

implement controls to counter them. Some risks may have minor impact if

Page 31 of 48
they occur or may be extremely unlikely to occur, and it may not be cost-
effective to implement expensive control processes.

In general, there are several ways to treat IT risks:

• Accept the risk: One of management’s primary functions is managing

risk. Some risks are minor because their impact and probability of
occurrence is low. In this case, consciously accepting the risk as a cost of
doing business is appropriate as well as periodically reviewing the risk to
ensure its impact remains low.
• Eliminate the risk: It is possible for a risk to be associated with the use
of a particular technology, supplier, or vendor. The risk can be eliminated
by replacing the technology with more robust products and by seeking more
capable suppliers and vendors.
• Share the risk: Risk mitigation approaches can be shared with trading
partners and suppliers. A good example is outsourcing infrastructure
management. In such a case, the supplier mitigates the risks associated
with managing the IT infrastructure by being more capable and having
access to more highly skilled staff than the primary organization. Risk also
may be mitigated by transferring the risk to an insurance provider.
• Control/mitigate the risk: Instead of or in combination with other
options, controls may be devised and implemented to prevent the risk from
manifesting itself to limit the likelihood of this manifestation or to minimize
its effects.

7.4.3. CONTROL STRATEGIES

In implementing recommended controls to mitigate risk, the management

should consider technical, management and operational security controls or
a combination of such controls to maximize the effectiveness of controls for
IT systems of the Bank.

The trade-offs that the Bank will have to consider are illustrated by viewing
the decisions involved in enforcing use of complex user passwords to
Page 32 of 48
minimize password guessing and cracking. In this case, a technical control
requiring add-on security software may be more complex and expensive
than a procedural control, but the technical control is likely to be more
effective because the enforcement is automated by the system. On the other
hand, a procedural control might be implemented simply by means of a
memorandum to all concerned individuals and an amendment to the
security guidelines for the Bank, but ensuring that users consistently follow
the memorandum and guideline will be difficult and will require security
awareness training and user acceptance.
7.4.3.1. TECHNICAL SECURITY CONTROLS

Technical security controls for risk mitigation can be configured to protect

against given types of threats. These controls may range from simple to
complex measures and usually involve system architectures; engineering
disciplines; and security packages with a mix of hardware, software, and
firmware. All of these measures should work together to secure critical and
sensitive data, information, and IT system functions. Technical controls are
grouped into the following categories, according to primary purpose:
 Support: Supporting controls are generic and underlie most IT security
capabilities. These controls must be in place in order to implement other
controls.

 Prevent: Preventive controls focus on preventing security breaches from

occurring in the first place.

 Detect and Recover: These controls focus on detecting and recovering

from a security breach.

7.4.3.1.1. SUPPORTING TECHNICAL CONTROLS

The supporting controls are:

a. Identification: This control provides the ability to uniquely identify users,

processes, and information resources. To implement other security controls

Page 33 of 48
(e.g., discretionary access control (DAC), mandatory access control (MAC),
accountability), it is essential that both subjects and objects be identifiable.

b. Cryptographic Key Management: Cryptographic keys must be securely

managed when cryptographic functions are implemented in various other
controls. Cryptographic key management includes key generation,
distribution, storage, and maintenance.

c. Security Administration: The security features of the Bank’s IT system

must be configured (e.g., enabled or disabled) to meet the needs of a specific
installation and to account for changes in the operational environment.
System security can be built into operating system security or the
application. Commercial off-the-shelf add-on security products are available.

d. System Protections: Underlying a system’s various security functional

capabilities is a base of confidence in the technical implementation. This
represents the quality of the implementation from the perspective both of
the design processes used and of the manner in which the implementation
was accomplished.
7.4.3.1.2. PREVENTIVE TECHNICAL CONTROLS

These controls, which can inhibit attempts to violate security policy, include
the following:

a. Authentication: The authentication control provides the means of

verifying the identity of a subject to ensure that a claimed identity is valid.
Authentication mechanisms include passwords, personal identification
numbers or PINs, and emerging authentication technology that provides
strong authentication (e.g., token, smart card, digital certificate, Kerberos).

b. Authorization: The authorization control enables specification and

subsequent management of the allowed actions for a given system (e.g., the
information owner or the database administrator determines who can
update a shared file accessed by a group of online users).

Page 34 of 48
c. Access Control Enforcement: Data integrity and confidentiality are
enforced by access controls. When the subject requesting access has been
authorized to access particular processes, it is necessary to enforce the
defined security policy (e.g., MAC or DAC). These policy-based controls are
enforced via access control mechanisms distributed throughout the system
(e.g., MAC sensitivity labels; DAC file permission sets, access control lists,
roles, user profiles). The effectiveness and the strength of access control
depend on the correctness of the access control decisions (e.g., how the
security rules are configured) and the strength of access control enforcement
(e.g., the design of software or hardware security).

d. Non-repudiation: System accountability depends on the ability to ensure

that senders cannot deny sending information and that receivers cannot
deny receiving it.

Non-repudiation spans both prevention and detection. It has been placed in

the prevention category in this guide because the mechanisms implemented
prevent the successful repudiation of an action (e.g., the digital certificate
that contains the owner’s private key is known only to the owner). As a
result, this control is typically applied at the point of transmission or
reception.

e. Protected Communications: In a distributed system, the ability to

accomplish security objectives is highly dependent on trustworthy
communications. The protected communications control ensures the
integrity, availability, and confidentiality of sensitive and critical information
while it is in transit. Protected communications use data encryption
methods (e.g., virtual private network, Internet Protocol Security-IPsec
Protocol), and deployment of cryptographic technologies (e.g., Data
Encryption Standard-DES, 3DES, RSA, MD4, MD5, secure hash standard,
and escrowed encryption algorithms such as Clipper) to minimize network
threats such as replay, interception, packet sniffing, wiretapping, or
eavesdropping.

Page 35 of 48
f. Transaction Privacy: Transaction privacy controls (e.g., Secure Sockets
Layer, secure shell) protect against loss of privacy with respect to
transactions performed by an individual.

7.4.3.1.3. DETECTION AND RECOVERY TECHNICAL CONTROLS

Detection controls warn of violations or attempted violations of security

policy and include such controls as audit trails, intrusion detection
methods, and checksums. Recovery controls can be used to restore lost
computing resources. They are needed as a complement to the supporting
and preventive technical measures, because none of the measures in these
other areas is perfect. Detection and recovery controls include:

a. Audit: The auditing of security relevant events and the monitoring and
tracking of system abnormalities are key elements in the after-the-fact
detection of, and recovery from, security breaches. Accordingly, an output
from information system audit of the Bank is used for this purpose.

b. Intrusion Detection and Containment: It is essential to detect security

breaches (e.g., network break-ins, suspicious activities) so that a response
can occur in a timely manner. The intrusion detection and containment
control provides these two capabilities.

c. Proof of Wholeness: The proof-of-wholeness control (e.g., system integrity

tool) analyzes system integrity and irregularities and identifies exposures
and potential threats. This control does not prevent violations of security
policy but detects violations and helps determine the type of corrective
action needed.

d. Restore Secure State: This service enables a system to return to a state

that is known to be secure, after a security breach occurs.

Page 36 of 48
e. Virus Detection and Eradication: Virus detection and eradication
software installed on servers and user workstations detects, identifies, and
removes software viruses to ensure system and data integrity.

7.4.3.2. MANAGEMENT SECURITY CONTROLS

Management security controls, in conjunction with technical and

operational controls, need to be implemented to manage and reduce the risk
of loss and to protect the Bank’s mission.

Management controls focus on the stipulation of information protection

policy, guidelines, and standards, which are carried out through operational
procedures to fulfill the Bank’s goals and missions.

Management security controls, which are preventive, detection, and recovery

that should be implemented to reduce risk are:
7.4.3.2.1. PREVENTIVE MANAGEMENT SECURITY CONTROLS

These controls include the following:

a. Assign security responsibility to ensure that adequate security is provided

for the mission-critical IT systems.

b. Develop and maintain system security plans to document current

controls and address planned controls for IT systems in support of the
Bank’s mission.

c. Implement personnel security controls, including separation of duties,

least privilege, and user computer access registration and termination.

d. Conduct security awareness and technical training to ensure that end

users and system users are aware of the rules of behavior and their
responsibilities in protecting the Bank’s mission.
7.4.3.2.2. DETECTION MANAGEMENT SECURITY CONTROLS

Detection management controls are:

Page 37 of 48
a. Implement personnel security controls, including personnel clearance,
background investigations, and rotation of duties.

b. Conduct periodic review of security controls to ensure that the controls

are effective.

c. Perform periodic system audits.

d. Conduct ongoing risk management to assess and mitigate risk.

e. Authorize IT systems to address and accept residual risk.

7.4.3.2.3. RECOVERY MANAGEMENT SECURITY CONTROLS

These controls include the following:

a. Provide continuity of support and develop, test, and maintain the

continuity of operations plan to provide for business resumption and ensure
continuity of operations during emergencies or disasters.

b. Establish an incident response capability to prepare for, recognize, report,

and respond to the incident and return the IT system to operational status.
7.4.3.3. OPERATIONAL SECURITY CONTROLS

Enat Bank’s security standards should establish a set of controls and

guidelines to ensure that security procedures governing the use of IT assets
and resources are properly enforced and implemented in accordance with
the Bank’s goals and mission. Management plays a vital role in overseeing
policy implementation and in ensuring the establishment of appropriate
operational controls.

Operational controls, implemented in accordance with a base set of

requirements (e.g., technical controls) and good industry practices, are used
to correct operational deficiencies that could be exercised by potential
threat-sources. To ensure consistency and uniformity in security operations,
step-by-step procedures and methods for implementing operational controls
must be clearly defined, documented and maintained.

Page 38 of 48
These operational controls include:
7.4.3.3.1. PREVENTIVE OPERATIONAL SECURITY CONTROLS

Preventive operational controls are:

a. Control data media access and disposal (e.g., physical access control,
degaussing method).

b. Limit external data distribution (e.g., use of labeling).

c. Control software viruses.

d. Safeguard computing facility (e.g., security guards, site procedures for

visitors, electronic badge system, biometrics access control, management
and distribution of locks and keys, barriers and fences).

e. Secure wiring closets that house hubs and cables.

f. Provide backup capability (e.g., procedures for regular data and system
backups, archive logs that save all database changes to be used in various
recovery scenarios).

g. Establish off-site storage procedures and security.

h. Protect laptops, personal computers (PC) and workstations.

i. Protect IT assets from fire damage (e.g., requirements and procedures for
the use of fire extinguishers, tarpaulins, dry sprinkler systems, fire
suppression system).

j. Provide emergency power source (e.g., requirements for uninterruptible

power supplies, on-site power generators).

k. Control the humidity and temperature of the computing facility (e.g.,

operation of air conditioners, heat dispersal).
7.4.3.3.2. DETECTION OPERATIONAL SECURITY CONTROLS

Detection operational controls include the following:

a. Provide physical security (e.g., use of motion detectors, closed-circuit

television monitoring, sensors and alarms).

Page 39 of 48
b. Ensure environmental security (e.g., use of smoke and fire detectors,
sensors and alarms).

8. IT TRAINING FOR STAFF

Training new and existing staff in our IT policies, procedures and codes of
conduct is an important component of IT risk management strategies.
Training can cover key business processes and policies, such as:
 safe handling of email
 protecting the privacy of customer details
 Priority actions in the event of an online security breach.

As an employer there would be legal obligations when training staff.

Providing support and training for new employees is a critical aspect of staff
training.

9. REPORTING

Risk and Compliance Management Department generates periodic reporting

which are produced based on the needs of different end users for review and
decision making by the BOD, NBE and the Executive Management.

In line with this, quarterly IT risk management report will be produced by

incorporating in the Bank wide risk and compliance report. However, if
there is any urgent IT risk incident exhibited in the Bank, as soon as the
risk has happened without waiting the normal quarterly reporting period,
the risk incident will be reported to the BOD Risk and Compliance Sub-
Committee and Executive Management immediately.

10. AMENDMENT TO THE PROCEDURE

Since the working environment of any bank is dynamic, it could entail a

revision of its IT risk management procedure manual. Therefore, this

Page 40 of 48
procedure can be revised at the request of any stakeholder and up on the
agreement and approval of the Bank’s President.

11. EFFECTIVE DATE

This IT Risk Management Procedure Manual shall enter into force with
effective from _____________ , 2021,

Page 41 of 48
 ANNEX 1: ENAT BANK S.C.

RISK AND COMPLIANCE MANAGEMENT DEPARTMENT

Annex 1: Data Reporting Format on IT Risk Event

I. Risk scoring table Matrix
Likelihood Impact
High Medium Low
High Extreme High Medium
Medium High Medium Low
Low Medium Low Low

II. Keys for the IT risk scoring Matrix

Risk level Action
Extreme Immediate urgent controls required
as the highest priority. Directors to
be informed of the risk and steps
taken to mitigate it.
High Controls required within one month
of risk assessment being approved.
Directors to be informed of the risk
and steps taken to mitigate it.
Medium Controls required within six months
of risk assessment being approved.
Low Acceptable risk; no controls
required. continue monitoring risk
& reconsider as necessary

Page 42 of 48
 ANNEX 2: Enat Bank S.C.

Information Technology Related Risks Reporting Format

Annex 2.1: Incident Reporting Template

1. Particulars:
 Date and Time of Notification to ISD
 Full Name of Branch/Department
 Name of Caller/Reporting Staff
 Designation/Department
 Contact details (e.g. email, mobile)
2. Details of Incident:
 Discovery date and time of incident
 Nature of incidents, affected areas:
(i) Outage of IT system (e.g. core
banking systems, ATMs, etc.)
(ii) Signs of cyber-attack (e.g.
Hacking or malware
infection ,distributed denial of
service attacks)
(iii) Theft or Loss of Information
(e.g.
sensitive/important/customer
information stolen)
(iv) Unavailability of Infrastructure
or work premises (e.g. Power
blackout, telecommunication
linkages down, fire in office
building and the affected
locations.)?

 What actions or responses have been

taken by the branch/department?
3. Impact Assessment
 Business impact including availability
of services – Treasury Services, Cash
Management, Trade Finance,

Page 43 of 48
 Branches, ATMs, Internet Banking,
Clearing and Settlement activities etc.
 affected retail/corporate customers,
affected participants etc.
 Financial and market impact –
Trading activities, transaction volumes
and values, monetary losses, liquidity
impact, bank run, withdrawal of funds
etc.
 Reputational impact – is incident
likely to attract media attention?
 Regulatory and Legal impact

4. Detailed chronological order of events:

 Date of incident, start time and
duration.
 Escalation steps taken, including
approvals sought on interim measures
to mitigate the event, and reasons for
taking such measures
 person informed or involved
 Various channels of communications
involved
5. Detailed Root Cause Analysis:
 Factors that caused the problem/
Reasons for occurring
 Interim measures to mitigate/resolve
the issue, and reasons for taking such
measures, and
 Steps identified or to be taken to
address the problem in the longer
term.
6. Final assessment and remediation:
 Conclusion on cause and effects of
incident
 List the corrective actions taken to
prevent future occurrences of similar
types of incident
 Target date of resolution_________
(DD/MM/YY).
Page 44 of 48
Page 45 of 48
ANNEX 2.2: SUSPICIOUS ACTIVITIES AND INCIDENTS OF FRAUD
REPORT

1 Identification

Reporting
 
branch/department:
Reporting Officer:
(officer/ manager /  
Director)
Title:  
Contact Officer:
(if different from Reporting  
Officer)
Title:  

Telephone number:  

Email address:  
   
2 Details of suspicious activity / incident of fraud that is material
to the safety, soundness or reputation of the bank
 
A. date and circumstances under which the activity / incident was
discovered;
B. the number of clients/users/customers affected by the incident;
C. details of persons involved in the suspicious activity;
D. the monetary amounts involved; and
E. any other relevant information.
A.______________________________________________________________________
____________________________________________________
B.______________________________________________________________________
____________________________________________________
C.______________________________________________________________________
____________________________________________________

Enat Bank S.C Page 46

 D.______________________________________________________________________
____________________________________________________
E.____________________________________________________________
__________
Where available, please attach supporting documents such as written and
signed statements, investigation reports and police reports.
   

3 Reasons why the activity / incident is material to the safety,

soundness or reputation of the financial institution.

________________________________________________________________________
________________________________________________________________________
_________________________________________________________________

4 Reasons for not lodging a police report on the incident of fraud.

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
____________________________________________

Signature:

_______________

 
Date:

____________________

Enat Bank S.C Page 47

Enat Bank S.C Page 48