1 | P a g e

Table of Contents
Topic Page
1. Introduction 1
2. Purpose and Scope 1
3. Definitions 1
4. Roles and Responsibilities 02 03
Board of Directors 2
ONE Bank Senior Management 2
Information Technology Division Head 2
Network Manager 2
System Administrator 2
Database Administrator 3
Data Center Manager 3
Branch Managers, Other Divisional Heads and Employees 3
Internal IT Auditor 3
Vendors, Subcontractors and Outsourcers 3
5. Physical Security 03 08
Control Standards - Data Center Physical Access 5
Control Standards - Business Unit Network Server Physical Access 6
Control Standards - Business Unit End User Workstation Physical Access 6
Control Standards - End User Portable Laptop Computers Physical Access 6
Environmental Threats and Controls 7
Backup Power for Power Outage Situations 7
Emergency Power-off Switches 7
Emergency Lighting 7
Water Sensors and Temperature/Humidity Alarms 7
Fire Detection and Suppression Controls 8
Site Construction Capabilities 8
6. Logical Security 08 12
Identification and Authentication 9
Data Integrity and Confidentiality 10
Virus Protection 10
Spyware Protection 11
Data Encryption 11
Information Disclosure 12
7. Email Security 13
8. Internet Security 15
9. Network Security 16
10. Disaster Recovery 17 18
Disaster Recovery Plan 17
Data Backup 18
2 | P a g e

Table of Contents
Topic Page
11. Change Request Management 18
12. Hardware Management 20
13. System Development and Testing 21 26
Project Initiation 21
Development Tools Selection 22
Team Assignment 22
Preliminary Analysis 23
Project Plan Preparation 23
System Design Documentation 24
Coding 24
Testing 25
Data Migration 25
Backup Policy 25
Deployment 25
Security Measures 26
14. Internet Banking 26
15. Service Provider Management 27
16. Training 27
17. Internal IT Audit 27
18. Disciplinary Actions 28
19. Green Banking 28
Benefits of Emerging ICT & E-banking 29 30
Conclusion and Findings 30 31

3 | P a g e

ONE BANK LIMITEDS PROFILE
ONE Bank Limited was incorporated in May, 1999 With the Registrar of Joint Stock Companies
under the Companies Act. 1994, as a commercial bank in the private sector. The Bank is pledge-
bound to serve the customers and the community with utmost dedication. The prime focus is on
efficiency, transparency, precision and motivation with the spirit and conviction to excel as ONE
Bank in both value and image.

Address: Corporate Head Quarters-HRC Bhaban, 46, Kawran Bazar, Dhaka 1215,
Bangladesh

The name 'ONE Bank' is derived from the insight and long nourished feelings of the promoters
to reach out to the people of all walks of life and progress together towards prosperity in a spirit
of oneness.
While financing the industrial sector, the major concentration of the bank appeared to be in the
textile and RMG sector; both the above sectors cover 30.89% of the total portfolio. OBL also
involved in cement construction and transport sector financing. In the investment portfolio, OBL
have substantial investment in quoted and non-quoted shares of different organization including
some very prospective financial institutions. The bank has shown its acumen in reducing its
exposure from ship scrapping sector, steel re-rolling where the bank had investment earlier. With
the increase in exposure to RMG, the bank has increased its non-funded business income
substantially. With an age of only 8 years, the OBL has taken initiative to launch IT based
banking products like ATM facilities, E-banking etc that are praiseworthy.
THIRD GENERATION PRIVATE COMMERCIAL BANK
OBL is a private sector commercial bank dedicated in the business line of taking deposits from
public through its various saving schemes and lending the fund in various sectors at a higher
margin. However, due attention is given in respect of risk undertaking, risk hedging and if not
appropriately hedged, reflection of the same in pricing. In the financing side, the bank's major
concentration is in trade finance covering about 20.88% of total financing as on YE2006 which
is mainly a short-term investment. The banks financing concentrate in both, working capital
finance and long-term finance.
Vision Statement
- To establish ONE Bank Limited as a Role Model in the Banking Sector of Bangladesh.
- To meet the needs of our Customers, Provide fulfillment for our People and create
Shareholder Value.
Mission Statement
- To constantly seek to better serve our Customers.
- Be pro-active in fulfilling our Social Responsibilities.
- To review all business lines regularly and develop the Best Practices in the industry.
- Working environment to be supportive of Teamwork, enabling the Employees to perform to
the very best of their abilities.
4 | P a g e

1. Introduction:

Information Security is a crucial issue for organizations, especially for banking and financial
institutions. It can be defined as preservation of confidentiality, integrity and availability of
information. ONE Bank Limited considers Information as the most precious asset, which is to be
protected and safeguarded like all other valuable assets. However information asset has
uniqueness not merely because it is intangible but because securing this asset face unique
situation this is one asset that can be unlawfully used without depriving the legitimate owner
from its possession. A comprehensive ICT Security Policy must be in place to set objectives for
the organization as regards the protection of its informational assets. The management of ONE
Bank Limited has initiated and continues to sustain the effort to the development of this ICT
Security Policy.

2. Purpose and Scope:

The primary purpose of this Policy is to establish standards to insure the protection of
confidential and / or sensitive information stored or transmitted electronically and to ensure
protection of the Bank's information technology resources. The policy provides guidelines to
protect the Batik's systems and data against misuse and/or loss and explains roles and
responsibilities of individuals regarding communication of and compliance with the standards.
Information security is the team effort. It requires the participation and support of all members of
the Bank who work with information systems. Thus, each employee must comply with the
requirements of the information security policy and its related documentation. Employees who
deliberately or through negligence violate information security policy will be subject to
disciplinary action or dismissal.
This Security Policy applies to all aspects of information technology resource security including,
but not limited to, accidental or unauthorized destruction, disclosure or modification of
computers, networks, applications, operating systems and/or data owned or operated by the
Bank.

3. Definitions:

Access Control: refers to the rules and deployment mechanisms which control access to information
systems, and physical access to premises.

Authorized User: is a person who has been authorized to gain access to the Bank network, computer
systems and computer information.

Change: means any implementation of new functionality, any interruption of service, any repair
of existing functionality or any removal of existing functionality.
Change Management: is the process of controlling modifications to hardware, software,
firmware, and documentation to ensure that Information Resources are protected against
improper modification before, during, and after system implementation.
5 | P a g e

Data Center: is a centralized repository for the storage, management, and dissemination of data
and information pertaining to a particular business.
Data Integrity: is the assurance that information can only be accessed or modified by those
authorized to do so.
Disaster: is an occurrence inflicting widespread destruction and/or distress. For the purposes of
this document this means that the facilities, computing resources, or major components thereof,
are deemed unavailable for operations.
Firewall: is a set of related programs, located at a network gateway server that protects the
resources of a private network from users from other networks.
Information System: is one or more computers, associated peripherals and software which
operate together to perform a definable Bank function.
Information Technology Resource: is any information, including but not limited to information
stored in electronic format and/or the tools used to access and make use of that information
(including but not limited to computer programs and applications, databases, computer systems
and networks).
Network: is a series of points, including computers and other devices, interconnected by
communication paths. Networks include interconnections with other networks and sub networks
and may carry voice, data or other types of signals.
Proxy Server: is a server that sits between a client application and a real server. In an enterprise
that uses the Internet, a proxy server is a server that acts as an intermediary between a
workstation user and the Internet so that the enterprise can ensure security, administrative
control, and caching service.
Scheduled Change: Formal notification received, reviewed, and approved by the review process
in advance of the change being made.
Security Breach: is a type of activity which includes, but is not limited to, an unwanted
disruption or denial of service, the unauthorized use of a system for the processing or storage of
data. And changes to hardware, firmware or software are made without appropriate approvals.
Sensitive Information: is information maintained by the Bank which requires special
precautions to ensure its accuracy and integrity. It is information that requires a high level of
assurance of accuracy and completeness
Unscheduled Change: Failure to present notification to the formal process in advance of the
change being made. Unscheduled changes will only be acceptable in the event of a system failure
or the discovery of security vulnerability.
6 | P a g e

4. Roles and Responsibilities:

Board of Directors
Approval of the ICT Security Policy is vested with the Board of Directors. They are also responsible
for reviewing the changes of the ICT Security Policy from time to time. Board of Directors will
review the IT security compliance report that will be prepared by Internal IT. They will also provide
guidance and assistance to IT Division in the enforcement of ICT Security Policy.

ONE Bank Senior Management
The ONE Bank Senior Management will ensure implementation of all application / process specific
information standards and provide advice and guidance from time to time regarding the same. They
are also responsible for pointing out discrepancies in the standards and for requesting waivers from
the Information Technology Division Head to particular standards if that would be in the bank's
interest from a regulatory, financial or business driven viewpoint.

Information Technology Division Head
The ONE Bank Information Technology Division Head is responsible for the timely release of new
standards and updates to existing standards, and also liaising with the policies, procedures and
standards utility group. The Information Technology Division Head is also the first point of contact
(along with Audit) for all security incidents and investigating what actions should be taken to stop
such incidents from occurring in the future.

Network Manager
The ONE Bank Network Manager is responsible for the overall management of network resources
like LAN, WAN and Corporate E-mail. He/she will also be responsible for establishing Firewall and
related softwares so as to protect Information Resources from external attack.

System Administrator
The ONE Bank System Administrator provides first level services on operating systems such as Windows,
Linux and UNIX. He/she will also provide use rids and data access rights. He/she will be responsible for
the monitoring of access violations and access rights recertification to the application system resources.
Database Administrator
The ONE Bank Database Administrator is responsible for the installation, configuration and
performance tuning of the database system. He/she is also responsible for publishing the backup and,
recovery strategy and overall management and monitoring of the storage system.

Data Center Manager
The ONE Bank Data Center Manager is responsible for the security of the data center and the overall
management of data center resources and operations. He/she will also be responsible for ensuring the
availability of Disaster Recovery Site (DRS) in case of any failure at production end.

Branch Managers, Other Divisional Heads and Employees
Managers and Divisional Heads will ensure that their employees have access to the information
standards in a format that they understand, that they have read them and that they are aware of the
implications of non-compliance.
7 | P a g e

All employees are required to understand and comply with all the information security standards.
Failure to do so could result in disciplinary action, and in extreme cases dismissal and/or legal action.

Internal IT Auditor
Internal IT auditor will periodically visit key IT installations in the data center, disaster recovery site,
branches, and head office to conduct IT audit. A team of IT experts will be working under the
internal IT auditor.

Vendors, Subcontractors and Outsourcers
In the provision of Information Systems services, suppliers must comply with the ONE Bank
Information Security Standards as they apply to hardware, software, and related procedures and
processes. All Supplier employees or their subcontractors working on ONE Bank projects are
required to understand and comply with ONE Bank Information Security Standards. Failure to do so
will result in them being reported to their management for appropriate disciplinary action to be taken.

5. Physical Security:

Appropriate controls must be employed to protect physical access to resources, commensurate
with the identified level of acceptable risk. These may range in scope and complexity from
extensive security installations to protect a room or facility where server machines are located, to
simple measures taken to protect a User's display screen. Physical access to information
processing areas and their supporting infrastructure (communications, power, and
environmental) must be controlled to prevent, detect, and minimize the effects of unintended
access to these areas.
Control Standards - Data Center Physical Access
The information processed here is normally deemed critical to ONE Bank operations and is of a
sensitive nature in terms of confidentiality issues. Correspondingly, access controls to the data
center require a high level of personnel restriction and authentication to safeguard the
information processed therein. Normal access control standards utilized within data centers
should include:
Card key access for authorized individuals to gain entrance.
Logging of card key access use for audit trail purposes retained for 12 months.
A visitor access log to record non-Data Center personnel visits including vendor,
maintenance, and cleaning crew people. All visitors must be escorted while in the Data
Center.
All personnel should wear visible identification within the secure area and are
encouraged to challenge strangers.
Regular review by the Data Center Manager of the authorization list for Data Center
access and the Data Center Visitors Log. Personnel should only be afforded access only
when required and authorized.
8 | P a g e

Photographic, recording or video equipment should not be allowed to be brought into the
secure area unless authorized.
Where possible, internal monitoring of data center activity (CCTV) by Data Center
Manager
or by authorized personnel.
Mobile phone with built-in camera facility should not be allowed to enter into the data
center.
Appropriate physical construction standards to discourage unauthorized access
attempts such as:
- True floor to ceiling Data Center perimeter walls and where appropriate motion
detectors in the surrounding areas to detect unauthorized access attempts.
- Automatic door closers on all doors. Doors into the secure area should not be propped
open at any time, unless security guard is placed at the door.
- The absence of entrance vulnerabilities such as windows or external hinges on entrance
doors to the Data Center. ONE Bank Limited All Rights Reserved Page 6 of 28
- Data Centers should be sited away from Public Areas or direct approach by public
vehicles.
Control Standards - Business Unit Network Server Physical Access
Local area networks (LANs) utilized by the business units to accomplish their functions
should have the following physical access control standards applied:
Network servers must be located in an area free from physical dangers (e.g., high traffic
areas, water leaks, fire hazards, etc.).
Access to the servers must be physical ly restricted to authorized personnel (network
administrators) by locating them in a closed area (e.g., a locked office). Additionally,
unauthorized system access via bypass booting of the server (to defeat password
authentication) must be prevented.
Software scheduled to be installed on the network server must be scanned for viruses on a
separate machine before being loaded.
All equipment should be maintained as defined in the manufacturer's guidelines.

Control Standards - Business Unit End User Workstation Physical Access
Workstations must be located in an area free from physical dangers (e.g., high traffic
areas, water leaks, fire hazards, etc.).
Workstations connected to the network must store sensitive information on file server
drives and not local drives. Information stored on floppy disks must be physically secured
in a manner appropriate to its sensitivity level.
Software to be used on the workstation must be scanned for viruses.
All equipment should be maintained as defined in the manufacturer's guidelines.

9 | P a g e

Control Standards End User Portable Laptop Computers Physical Access.
Due to the high risk of loss due to portability, laptop computers must be traceable to
individual users, and sensitive data (to the extent possible) must NOT' be stored on the
unit's permanent disk drive.
Portable laptop computers containing highly sensitive data (non-disclosure) must be
protected using a PC Security/Disk Encryption Package. ONE Bank Limited All Rights
Reserved Page 7 of 28
All portable laptops should be physically secured via an appropriate security device or
locked away in a desk or cupboard during any period that the unit is left unattended
(normal business hours inclusive).
Al l portable computers that are used for company business must have a "Power-On"
password set. The use of passwords must follow the guidelines specified in this
document.
When traveling, laptops and media should be carried as hand luggage and should not be
left unattended in public places.
All equipment should be maintained as defined in the manufacturer's guidelines.

Environmental Threats and Controls.
Backup Power for Power Outage Situations
Server and Network computer systems and their supporting infrastructure (air conditioning
systems and security alarm systems where applicable) must have a dependable, consistent
electrical power supply that is free from surges and interference that could affect operation of the
equipment. Backup power is necessary to ensure that computer services are in a constant state of
readiness and to help avoid damage to equipment if normal power is lost. A back up
Uninterruptible Power Supply (UPS System) must be utilized for the computer systems and
supporting equipment.
Where appropriate, generators and batteries must also be employed to ensure survivability of
operations. In areas susceptible to outages of more than 15 to 30 minutes, diesel generators are
recommended. Backup power facilities must be regularly tested to ensure reliable functionality.
Emergency Power-off Switches
In data centers, emergency power off switches, that shut off all power supplies, must be installed
and be readily accessible with posted notices showing their location. Where justified, the use of
these switches must be protected against unauthorized physical access.
Emergency Lighting
In data centers and network server closed areas, automatic emergency lighting should be
provided for use during power outages.
10 | P a g e

Water Sensors and Temperature/Humidity Alarms
The computer environment should be protected from all forms of water, temperature and
humidity damage. Locations with the potential for water damage must be avoided when selecting
information processing areas (e.g., locations below/around level, or those under sewer lines,
showers, cafeterias, or similar facilities where water or drainage malfunctions could occur). In
data center environments, sensors and alarms must be installed to monitor the environment
surrounding the equipment to ensure that air, humidity and cooling water temperatures remain
within the levels specified by equipment design. Water sensors should be placed in the floor and
ceiling to ensure leakage detection. If proper conditions are not maintained, alarm systems
should be configured to summon operations and maintenance personnel to correct the situation
before a business interruption occurs.
Fire Detection and Suppression Controls
Measures should be taken to minimize the risks and effects of a fire occurring within the
information processing areas, or from spreading into these areas from an adjoining location.
Hazardous and Combustible material should be stored securely at a safe distance from the Data
Center. Computer supplies, such as stationery should not be stored within the computer room.
The degree of automatic fire detection and suppression mechanisms deployed depends upon the
criticality of the operation attributed to the information processing system. Data centers should
have an approved inert gas based systems and heat sensors installed, while closed area network
server rooms may only have smoke detectors and fire extinguishers. Regardless, fire detection
and suppression mechanisms must be utilized in the information processing areas. Where
possible, detection devices must notify appropriate personnel.
Site Construction Capabilities
The building which contains the information processing areas must minimally conform to local
construction regulations especially with regard to natural physical security threats (fire, flood,
earthquake, hurricane, etc.). Selection of new sites must consider the presence of such threats and
avoid high risk conditions where possible.
6. Logical Security:

Computers must have the most recently available and appropriate software security patches,
commensurate with the identified level of acceptable risk. For example, installations that allow
unrestricted access to resources must be configured with extra care to minimize security risks.
Adequate authentication and authorization functions must be provided, commensurate with
appropriate use and the acceptable level of risk.

Attention must be given not only to large systems but also to smaller computers which, if
compromised, could constitute a threat to bank resources, including computers maintained for a
small group or for an individual's own use.
11 | P a g e

Identification and Authentication
Identification is the process of uniquely distinguishing one User from another to establish
accountability. Authentication is the process of verifying the identity of a User. This can be
accomplished by a password or PIN.
The general requirements for Identification and Authentication are as follows:
1. Each User must be uniquely identified. For example, a user ID must not be assigned to
more than one person.
2. A User should not be assigned with more than one user id on the same application.
3. Each User must be identified and authenticated before performing any actions on the
system.
4. The authentication process must be limited to a number of unsuccessful attempts
(maximum 3).
5. A user, user-id or account should not be able to logon to the same application / system
more than once, at the same time i.e. multiple concurrent logons with the same id.
6. Authentication information, e.g., password or PIN, must never be disclosed to another
User or shared among Users.
7. Passwords should not be recorded where they may be easily obtained.
8. Passwords are required to be a Minimum length of Eight (6) characters.
9. Passwords must contain at least one alphabetic and one numeric character
10. Passwords must not be the same as the User identifier.
11. Passwords must not be easily guessable and must not be connected with the User in any
way.
12. User needs to change passwords within 30 to 90 days.
13. Branch Managers, Department Heads, and Supervisors should notify the IT Manager
promptly whenever an employee leaves the Bank or transfers to another
department/division/branch so that his/her access can be revoked.
14. System administrators are responsible for publicizing the procedure for changing
passwords.


Data Integrity and Confidentiality
The goals of Data Integrity and Confidentiality are to ensure the continued availability and
accessibility of information, to reduce the risk that data may become corrupted by an external
influence such as a Virus; and to ensure that client confidentiality is maintained at all times.
12 | P a g e

Virus Protection
Computer viruses are programs designed to make unauthorized changes to programs and data.
Therefore, viruses can cause destruction of corporate resources. It is important to know that
computer viruses are much easier to prevent than to cure and defenses against computer viruses
include protection against unauthorized access to computer systems, using only trusted sources
for data and programs, and maintaining virus-scanning software.
Virus prevention technology, (e.g., virus scanning software) must be implemented for any
platform susceptible to viruses. The following scanning procedures must be adhered to:
Information Technology Division shall install and maintain appropriate antivirus
software on all computers.
IT division ensures that every day, at boot up of the PC, memory and boot Sector viruses
will be scanned. No files need to be scanned at this stage.
IT division shall configure a Virus Shield to scan all accessed files (network, hard disk or
floppy disk) whilst the operating system (e.g. Windows) is running.
Employees shall not knowingly introduce a computer virus into Bank computers.
Employees shall not load diskettes of unknown origin.
Each user shall scan all files of the PC once a week
Laptop users should be able to break out of the weekly full file scan so that they can opt
to run the scan when they are not using their internal batteries. Laptop users should be
educated about the need to run a full virus scans at least once a week. If a user does
break-out of a full scan, the PC should continue to try and run a scan every time the PC'
is booted until a full scan has been completed.
File Servers should be configured to scan all files on access. ONE Bank Limited All
Rights Reserved Page 11 of 28
Weekly scans should be undertaken of all file server files.
Laptop users should be notified by E-Mail whenever Virus Signature files need to be
updated. The update process should be performed automatically when the Laptop is
connected to the LAN.

Spyware Protection
Spyware and adware can compromise system performance and al low sensitive information to be
transmitted outside the organization. Spy ware installation programs can launch even when users
are performing legitimate operations, such as installing a company-approved application. As a
result, combating spy ware requires user vigilance as well as IT management and control. The
following control mechanisms must be adhered to:
Information Technology division shall install and update appropriate anti-Spy-ware
software on all computers.
13 | P a g e

IT division shall respond to all reports of spy ware installation, remove spy-ware
modules, restore system functionality, and document each incident.
Employees shall not knowingly al low spy ware to install on company computers.
Employees shall perform anti-spy ware run anti-spy ware programs regularly, as directed
by the IT division.

Data Encryption
Encryption is one of' the most powerful methods of protecting data. It is the process of making
readable information unreadable through a sophisticated mathematical conversion process. It is
important for both data transmission and data storage. Encryption is critical for transmission
whenever sensitive data is being transmitted over an insecure network such as the Internet. It is
important for storage whenever the data is subject to compromise. It is wise to encrypt stored
data when a machine is shared between multiple users and for laptops that are often a target for
thieves.
Proven, standard algorithms such as DES, Blowfish, RSA, RCS and IDEA should be
used as the basis for encryption technologies.
Key length should be carefully evaluated in light of algorithm in use and the value of the
data or system being protected. Moreover, all encryption mechanisms implemented to
comply with this policy must support a minimum industry standard key length.

Information Disclosure
The Bank reaffirms its commitment to transparency and accountability in all of its activities.
Information concerning the Bank and its activities will be made available to the public in the
absence of a compelling reason for confidentiality. Some restrictions on availability to the public
of Bank information are necessary to ensure the effective functioning of the Bank and the need to
avoid material harm to the business and competitive interests of the Bank's clients. General
controls on information disclosure are as follows:
Document s and information prepared by the Board of Directors, the management and
staff (including consultants and advisors) of the Bank for internal use are confidential in
nature and will not be made available to the Public.
Privileged information such as legal advice and matters in legal dispute or under
negotiation are confidential in nature and will not be made available to the public.
The Bank receives some documents and information from outside parties with the
explicit or implicit understanding that their distribution within the Bank will be limited,
that they will not be disclosed outside of the Bank, or that they may not be disclosed
outside of the Bank without the express consent of the source. The Bank will respect such
understanding and act accordingly.
14 | P a g e

Internal financial information which may affect the Banks activities in capital and
financial markets or to which such markets may be sensitive, including, but not limited
to, liquidity investments, estimates of future borrowings and redemptions of borrowings,
expected rates of interest, rates of return and financial ratios, financial forecasts and
models, and documents dealing with financial matters not yet approved by the
corresponding Bank authorities shall not be made public.
The Bank, as a financial institution promoting the development of and investment by
private sector enterprises, has a duty to its clients to respect their confidential business
information. Accordingly, financial, business or proprietary documents or information of
private sector entities received by the Bank will not be disclosed, unless permission is
given by those private sector entities to release such information to the public.
The Bank will not disclose documents, reports or communications in circumstances
where disclosure would violate applicable law, such as restrictions imposed by securities
or banking laws, or could subject the Bank to undue litigation risk.
Applications must be designed and computers must be used so as to protect the privacy
and confidentiality of the various types of electronic data they process, in accordance
with applicable policies.
Users who are authorized to obtain data must ensure that it is protected to the extent
required by policy after they obtain it. For example, when sensitive data is transferred
from a well-secured server system to a User's location, adequate security measures must
be in place at the destination computer to protect this "downstream data".
7. Email Security:
Email is electronic mail, using computers to transmit messages via data communications to
electronic "mailboxes". Email is corporate as set and critical component of Communication
systems. The Email system is provided by the bank for employees to facilitate the performance
of bank work and their contents are the property of the bank. Although the bank does not make a
practice of monitoring these systems, management reserves the right to retrieve the contents for
legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts
or to recover from system failure. The following guidelines apply equally to all individuals
granted access privileges to any ONE Bank's information resource with the capacity to send,
receive, or store electronic mail:
Personal use of Email by employees is allowable but should not interfere with or conflict
with business use. Employees should exercise good judgment regarding the
reasonableness of personal use.
Employees and authorized users are responsible to maintain the security of their account
and their password. They should change their password quarterly and take precautions to
prevent unauthorized access to their mailbox by logging off when possible if their
terminal is unattended.
15 | P a g e

Electronic mail users must not give the impression that they are representing, giving
opinions, or otherwise making statements on behalf of ONE Bank Limited or any unit of
the Bank unless appropriately authorized (explicitly or implicitly) to do so. Where
appropriate, an explicit disclaimer will be included unless it is clear from the context that
the author is not representing the Bank. An example of a simple disclaimer is: "the
opinions expressed are my own, and not necessarily those of in), employer."
Individuals must not send, forward or receive confidential or sensitive ONE Bank's
information through non- ONE Bank's email accounts. Examples of non- ONE Bank's
email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and
email provided by other Internet Service Providers (ISP).
The following, activities are prohibited by policy:
Sending email that is intimidating or harassing.
Using email for conducting personal business.
Using email for purposes of political lobbying or campaigning.
Violating copyright laws by inappropriately distributing protected works.
Posing as anyone other than oneself when sending email, except when authorized to send
messages for another when serving in an administrative support role.
The use of unauthorized e-mail software.
Sending unsolicited messages to large groups except as required to conduct usual of the
bank business.
Sending excessively large messages
Sending or forwarding email that is likely to contain computer viruses.
Sensitive information (client details and corporate confidential) being sent via E-Mail
should be sent as an attachment and not as part of the body of the message.
Attachments including client or corporate sensitive information should be password
protected.
All messages which have attachments containing client or corporate sensitive information
should be transmitted using the "Return Receipt" and "High" Priority options set.
Password secure attachments should have their passwords transmitted to the recipient in a
secure manner. The password should not be included as part of the Message text or sent
to a fax machine, but should ideally be telephoned through to the recipient in person.
All passwords used for message encryption must follow the standards relating to
password definition detailed earlier in this document.
The identity of the sender of an incoming message must be clearly established as trusted
before the message is copied to any ONE Bank internal network.
All incoming files must be specifically virus checked.
For important items, acknowledgement of the e-mail must be done so that the sender can
be assured that his/her email is not lost.
While composing email, punctuation and spelling must be checked carefully as it can
reflect organizations reputation.
16 | P a g e

8. Internet Security:
The Internet provides a source of information that can benefit every professional discipline. It is
comprised of thousands of interconnected networks which provide digital pathways to millions
of information sites. Because these networks subscribe to a common set of standards and
protocols, users have worldwide access to Internet hosts and their associated applications and
databases. Whereas the use of internet can boost up employee's job efficiency and increase
Bank's performance, there are also risks of improper uses of internet. The policy intends to
provide employees with a guideline about which uses of the Internet is proper and which uses are
improper.
Internet facility should be provided to limited personnel like Branch Manager, Divisional
lead and to some officials specifically authorized by managers, divisional heads.
ONE Bank, Limited provides computers and Internet connections ("facilities") to further
its business interests. Use of such facilities other than for Bank's business is strictly
prohibited. The Bank has the right, but not the duty, to monitor all communications and
downloads that pass through its facilities, at its sole discretion.
During working hours, access job-related information, as needed, to meet the
requirements of the jobs.
During, working hours, participate in news groups, chat sessions, and E-mail discussion
groups (list servers), provided these sessions have a direct relationship to the user's job
with the Division / Branch. If personal opinions are expressed, a disclaimer should be
included stating that this is not an official position of the Division / Branch.
Employees are prohibited from initiating non work-related Internet sessions using Bank's
information resources.
Downloading a file from the Internet can bring vi ruses with it . Scan all downloaded files
with standard virus prevention software provided by Information Technology Division.
Unless otherwise noted, all software on the Internet should be considered copyrighted
work. You may not download or use material from the Internet or elsewhere in violation
of software licenses, or the copyright trademark and patent laws. You may not install or
use any software obtained over the Internet without written permission from the Systems
Administrator.
If you observe or loam about a violation of this policy, you must report it immediately to
your supervisor, or to the Systems Administrator.
All software used to access the Internet shall be configured to use the firewall http proxy.
No offensive or harassing material may be made available via ONE Bank's Web sites.
No personal commercial advertising may be made available via ONE Bank's Web sites.
Sensitive information such as passwords and credit card numbers should not be sent via
the Internet unless encrypted.

17 | P a g e

9. Network Security:
The network security policy is intended to protect the integrity of bank- networks and to mitigate
the risks and losses associated with security threats to bank networks and network resources.
Attacks and security incidents constitute a risk to the Bank's business mission.
Network department of Information Technology Division is responsible for the Bank's
network infrastructure and will continue to manage further developments and
enhancements to this infrastructure.
The networking addresses for the supported protocols are allocated, registered and
managed centrally by network department of Information Technology division.
Core Banking System (CBS) should run on separate LAN and should not be mixed with
the common LAN used for office work.
Network managers will implement appropriate controls to ensure that connected users or
computer services do not compromise the security of any other networked service.
Network cabling should be installed and maintained by qualified engineers to ensure the
integrity of both the cabling and the wall mounted sockets. Any unused network wall
sockets should be sealed-off and their status formally noted.
Network manager is responsible for conducting periodic reviews of implemented security
plans, measures, procedures and controls.
Network manager must initiate an investigation of any suspected security breach of
Bank's network and is responsible for documenting the suspected breach and actions
taken.
Network equipment must be kept in a locked environment, only accessible by authorized
systems support personnel.
Firewalls must be installed and configured.
Proxy server must be installed and configured to allow users to surf the web and e-mail
anonymously.
Users are permitted to use only those network addresses issued to them by network
department of Information Technology division.
Users must not extend or re-transmit network services in any way. This means user must
not install a router, switch or hub to the Bank's network without approval from network
department of Information Technology division.
Users are not permitted to alter network hardware in any way.
Users must not download, install or run security programs or utilities that reveal
weaknesses in the security of the system. For example, users must not run password
cracking programs, packet sniffers, network mapping tools, or port scanners while
connected in any manner to the Bank's network infrastructure.
18 | P a g e

10. Disaster Recovery:
Disaster recovery and business continuity refers to an organization's ability to recover from a
disaster and/or unexpected event and resume and continue operations. Organizations should have
a plan in place (usually referred to as a "Disaster Recovery Plan", or "Business Continuity Plan")
that outlines how this will be accomplished.
Disaster Recovery Plan
There must be a separate Disaster Recovery Site other than production site which is at
least 10kms away from the production site.
The Information Technology Division should develop a comprehensive disaster recovery
plan. The plan will cover the following:
1. Identification and prioritization of critical business processes.
2. Identification and agreement of all responsibilities and emergency arrangements for
business continuity planning and recovery.
3. Call Tree' and contact details,
4. Documentation of workarounds (electronic and manual) and/or rectification
procedures, and a linkage to any relevant reference material or documents.
5. Appropriate education of staff in the execution of the agreed emergency procedures
and processes.
6. Checklists and procedure guidelines to assist various divisions and branches to
recover from a crisis or disaster.
7. Testing of the plans.
8. Updating of the plans.

A formal risk assessment should be undertaken in order to determine the requirements for
the disaster recovery plan. ONE Bank Limited All Rights Reserved Page 18 of 28

The disaster recovery plan should be periodically tested in a simulated environment to
ensure that it can be implemented in emergency situations and that the management and
staff understand how it is to be executed.
The disaster recovery plan should cover all essential and critical business activities.
The disaster recovery plan is to be kept up to date to take into account changing
circumstances.
All staff must be made aware of the disaster recovery plan and their own roles within.
19 | P a g e


Data Backup
The goals of Backup are to:
1. Ensure the continued availability and accessibility of information;
2. Minimize the cost of a disruption, e.g., operational error, disaster, or sabotage that
causes damage to, or destruction of information; and
3. Provide duplicate up-to-date information for recovery purposes with the same level of
integrity and quality
Backup copies of information must be stored off-site at a geographically separate and
safe facility, far enough away from the main site, such that a disaster there is unlikely to
affect the safe store.
Where practical, at least one backup copy must remain on-site for time critical delivery.
The frequency and extent of backups must be in accordance with the importance of the
information. The backup cycle might be daily, monthly and yearly cycle.
Tapes should be sent off-site as soon as possible after the backups have been taken, and
NOT left on-site till the next day.
When the technology used to process, store, or communicate information is changed,
backup procedures must also be updated.
Backups must lie periodically tested to ensure that they are recoverable.
11. Change Request Management:
The Information Technology (IT) infrastructure at ONE Bank, Limited is expanding and
continuously becoming more complex. From time to time each Information Resources (IR)
element requires an outage for planned upgrades, maintenance or fine-tuning. Additionally,
unplanned outages may occur that may result in upgrades, maintenance or fine-tuning.
As the interdependency between Information Resources grows, the need for strong change
management process is essential. Managing these changes is a critical part of providing a robust
and valuable IT infrastructure. The purpose of the Change Management Policy is to manage
changes in a rational and predictable manner so that staff and clients can plan accordingly.
Every change to a ONE Bank Information Technology resource such as: operating
systems, computing hardware, networks, and applications are subject to the Change
Management Policy and must follow the Change Management Procedures.
A Change Management Committee will meet regularly to review change requests and to
ensure that change reviews and communications arc being satisfactorily performed.
A formal written change request must be submitted for all changes, both scheduled and
unscheduled.
All scheduled change requests must be submitted in accordance with change management
Procedures so that the Change Management Committee has time to review the request,
20 | P a g e

determine and review potential failures, and make the decision to allow or delay the
request.
Each scheduled change request must receive formal Change Management Committee
approval before proceeding with the change.
The appointed leader of the Change Management Committee may deny a scheduled or
unscheduled change for reasons including, but not limited to, inadequate planning,
inadequate back out plans, the timing of the change will negatively impact a key business
process such as year-end accounting, or if adequate resources cannot be readily available.
Adequate resources may be a problem on weekends, holidays, or during special events.
A Change Review must be completed for each change, whether scheduled or
unscheduled, and whether successful or not.
A Change Management Log must be maintained for all changes. The log must contain,
but is not limited to:
1. Date of submission and date of change
2. Owner and custodian contact information
3. Nature of the change
4. Indication of success or failure
Status of all change requests must be notified to Help Desk.
Changes must not be incorporated to production environment unless proper User
Acceptance Test is done.
Testing should be done in a separate test environment.
All the software patches, upgrades that are supplied by Vendor needs to be deployed at
test environment prior to implementing in production environment.

12. Hardware Management:
As hardware technology rapidly advances, it becomes increasingly important for the Bank to
remain as up-to-date as possible. Although there may be some usefulness for legacy machines,
computer systems older than three years should be seriously considered for replacement. Older
systems are often more expensive in the long run than purchasing a new replacement machine.
This is due to the cost of maintenance and the replacement of non-warranty parts.
Computer equipment is easily damaged, destroyed or rendered inoperable due to
incorrect installation of hardware. Even the simplest modification may turn out to be an
expensive disaster. Employees of the Bank must contact the Information Technology
Division for all computer hardware changes.
Information Technology staff will make every effort to repair broken or malfunctioning
equipment on site at no expense to the Bank. If Information Technology staff is unable to
repair equipment internally, it may choose to either send the component out for repair, or
21 | P a g e

to have someone come on site. If it is found to be "not economically feasible" to repair,
replacement of the same, needs to be done.
Any portable media viz. flash drive, Floppy drive, CD drive and DVD drive should be
disabled in the machine running CBS. In case of any need to use the above mentioned
media, prior written approval needs to be obtained from Information Technology
Division Head.
Although the difficulty or ease of an installation process may vary dramatically, the
Information Technology staff is responsible for all installations.
All information system hardware faults are to be reported promptly and recorded in a
hardware fault register.
Deliberate or accidental damage to Bank, property must be reported to the nominated
information technology personnel as soon as it is noticed.
All hardware procurement must comply with the Procurement Policy of the Bank.
Adequate insurance coverage should be provided under the banks insurance policies so
that costs of loss and/or damage the hardware assets related IT are minimized.
Hardware documentation must be kept up-to-date and readily available to the staffs who
are authorized to support or maintain systems.
A formal Hardware Inventory of all equipment is to be maintained and kept up to date at
all times.
Only authorized personnel are permitted to tape equipment belonging to the organization
off the premises; they are responsible for its security at all times.
Equipment owned by the Bank may only be disposed of by authorized personnel who
have ensured that the relevant security risks have been mitigated. Security Issues to be
considered include the following:
1. Legacy data from old systems can s till remain accessible and thus compromise the
confidentiality of information.
2. Equipment used periodically but infrequently maybe disposed of accidentally.
3. During the legitimate disposal of unwanted equipment other items can be lost or
stolen.
All equipment owned, leased or licensed by the Bank must be supported by appropriate
maintenance facilities from qualified engineers.
22 | P a g e

13. System Development and Testing:
All in-house development and testing needs to be clone according to the flowing procedure:
Project initiation
A letter prepared by the user and duly signed by his division head / branch manager should be
addressed to the department head of IT Division for commencing any in house software
development project.
The letter should be supplemented with:
Domain Overview
This should describe the procedures of the manual operations to be automated and purpose of the
activity.
Feature List
This should define the features and functionalities to be accommodated in the software.
Possible Inputs
It should give the input parameters and their data types curd any constraint, regarding, input.
Expected output
Reports and other output formats should be specified here.
Related references (if any)
At this stage Head of IT would designate a person to review the user requirements and decide
about the feasibility of the project.
Development Tools Selection
Once the project is found to be feasible project development tools are decided.
Team Assignment
Head of IT then assign a team with members having knowledge on the tools. A team leader is
also selected preferably the one who had done the initial feasibility survey and analysis of the
project.
If the project team consists of more than one person then the team members can be assigned with
specific jobs like database developer. GUI builder and business logic developers and testers.
It is suggested that if the project is not too small then the team should consist of at least two
persons. The tester should not be a member of the development team but separate entity. Any
member of the development team can perform more than two roles at the same time except
tester. A typical example for clarification is that Mr. X can be GUI Builder as well as Business
logic developer for the same project but cannot be tester for that particular project.
23 | P a g e

Preliminary Analysis
The Project Head then call for a meeting with the relevant people (users) and if necessary
department heads of the department(s) concern to discuss about the detail requirement for the
project. After the meeting the Project Head with the help of the project tea, would prepare a
requirement analysis report. This document should include:
Project Overview
This should elaborate about the concept of the project in detail.
Functionality List
It should describe the functions, procedures and business logic of the project.
Sample Reports
If possible all reports format should be given.
Sample Screen Shots
Applicable for large projects but not mandatory if time constraint is high.
Development Tools
Should elaborate the DBMS, Report Designer and other tools to be used in the project.
Deployment Environment
Would provide the Hardware, Software and Network requirement for deploying the project.
Risk- Factors and constraints
This hoist should elaborate about the weak points, dependencies and other causes that can
hamper or stop the development of the project. Project Head would then sit with the requirement
analysis report with the users, discuss it with the users, modify it if necessary after users'
feedback and get it signed by the user and his department head.
Project Plan Preparation
Once this is done the PL would arrange another meeting with his team and prepare a project plan
and schedule with specific time frame. The plans and schedule should be approved by the IT
Head. The project plan should have:
i) System Analysis phase
ii) System Development phase
iii) Coding, Phase
iv) Integration and testing phase
The entire project should be broken down into smaller modules (may be defined as jobs) and the
schedule for each jobs should be detailed with the name of the designated person for
accomplishing the job.
24 | P a g e

System Design Documentation
This document would be used only for internal purpose of IT Division. Since ours is not a
Software development firm this documentation should not force any rule and not mandatory.
Depending on the time constraint the contents of the documents should be fixed. This
documentation may include:
Use Case Diagram
Class Diagram
Database Schema
DFD
ERD
Data Dictionary

Coding
Software code and documents should be kept in a dedicated repository machine using Source
Safe or CVS and a common directory structure should be maintained in the following manner:
Project Name
Docs (all documents related to project)
Design (all design does i.e. er, dfd, class, use case, architectural)
Development (all source code)
Database (db-script and data-script)
Misc (other documents i.e. third party tools etc.)
Proprietary heading should be written in top of all the source pages. A sample is given below:
Name of the File : [File Name with extension]
Author : [Name of the programmer]
Created On : [Data & Time]
Change History
Modified By : [Name of the Programmer]
Modified On : [Date & Time]
Modification Purpose
Version No. : [Version No.]
Purpose of the Module
Copyright : ONE Bank Limited All rights Reserved.
Warning:
This computer program is protected by copyright law and should be treated as
confidential information. Unauthorized reproduction or distribution of this program, or
25 | P a g e

any portion of it, may result in severe civil and criminal penalties, and bill be prosecuted
to the maximum extent possible under the law.
Proper inline documentation of the coding should be done and is the responsibility of the
programmer. If any modification is done in the code it should be reasonably detailed.
Testing
There should be three steps testing of the deliverable. These are:
Unit Test
This test is done by the developer and should be completed before Integration test and UAT.
Integration Test
Designated tester would be responsible for this job. He should prepare a bug list and forward it to
the Project Head. Project Head then assign someone among developers to fix the bug. After the
bug is fixed it is re tested by the tester. If the tester is satisfied he should inform it to the Project
Head. A sample Bug list is given below:

Sl.
No.
Description Scenario Report
Date
Severity
(1-5)
Bug
Fixer
Status Fix
Date


UAT

UAT should be done by the user with the assistance of developers. Once he is satisfied he should
recommend his department head for signing off the project.

Data Migration
IT Department would be responsible for creating script of data conversion, but users must
provide correct data so that it can be flawlessly accommodated in the new database.

Backup Policy
Source code of the project should be updated oil a weekly basis into the repository and other
documents a monthly basis.

Deployment
Once the UAT is over a copy of the software (only executables) is installed in the production
machine after all required environmental setup. Managing the environment (hardware and third
party software) is users' responsibility and configuring the hardware installing the third party
software (OS, DBMS etc) and the developed software is the responsibility of IT Di vision. A
document detailing environment prerequisites for installation should specified and to be provided
to the user.

26 | P a g e

Security Measures

i) A dedicated machine should be used as the software code and documentation
repository.
ii) Visual Source Safe (VSS) or CVS should be used to control the development of the
project.
iii) VSS domain users should be created. Developer should be authorized only with read
and write permission.
iv) After project deployment write permission should be withdrawn for developers.
v) No copy of the software can be made except for the purpose of development.
vi) After development of the software all copies except the backup kept in the repository
and the production copy should be deleted from repository.
vii) There should be a single exit point for copying the software.
viii) All coding and documentation should have one printed copy (hard copy) and must
be kept under direct supervision of Head of IT Division.



14. Internet Banking:

Through Internet Banking our customer will have access to the environment of our Core Banking
System, therefore, the System Administrator will put in place appropriate controls to protest
network and systems from unauthorized access, fraudulent activity, contract dispute and
unapproved disclosure/modification of information / instruction passing over public networks.
The controlling measures will cover the following:

Network and Database Administrator of Information Technology Division will be
responsible for the security of Bank's Internet Banking Application Software.

Information Technology Division will introduce logical access controls to data, systems,
application software, database, utilities, telecommunication lines, etc. Logical access
control techniques should include user-ids, passwords, biometrics technologies or other
industry standards.

Network and Database administrator will ensure real time security log to identify/prevent
unauthorized access.

Network administrator will introduce technology security protocols for Internet Banking
Solutions like PKI (Public Key Infrastructure), SSL (Secured Socket Layer), 2-FA (Two
Factor Authentication), RSA, VASCO etc. as applicable and feasible

Network administrator will responsible to acquire tools for monitoring systems and the
networks against intrusions and attacks with due approval

27 | P a g e

Information security officer, system auditor or any other official entrusted with similar
responsibility will carry out following periodic tests ongoing basis at a frequency
approved by Head of Information Technology Division.

a) Attempting to guess passwords using password-cracking tools.
b) Searching for back door traps in the programs.
c) Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS
(Denial of Service) attacks.
d) Checking of commonly known holes in the software, especially the browser and the
email software.
e) Checking the weaknesses of the infrastructure and taking control of ports.
Information Technology Division will keep proper record of all applications software for
legal purposes.

Information Technology Division will ensure security infrastructure before using the
systems and applications for normal operations. The Division will also upgrade the
systems by installing patches released by developers to remove bugs and loopholes, and
upgrade to newer versions to ensure better security and control time to time.


15. Service Provider Management:

IT Divisions should perform appropriate due diligence before selecting or contracting
with a service provider in respect of security breach, confidentiality, legal terms and
conditions, business risk assessment, etc. Country risk and choice of governing law will
have to be considered in addition to the above while contracting with Foreign Service
Provider.

Third party service provider must be aware of and comply with this security standard.

A service level agreement must be completed and executed prior to the commencement
of the work.


16. Training:

Each employee should be aware of this Information Security Guideline.

Formal training on Information Security will have to be given to all staff

Periodic training for the IT security staff is to be prioritized to educate and train in the
latest threats and Information Security techniques.

All new staff is to receive mandatory Information Security awareness training as part of
induction.

28 | P a g e

17. Internal IT Audit:

Internal Audit should have sufficient IT resources capable of conducting IT Audit.
IT Audit should be conduct at least annually to ensure compliance of this policy.
The report must be preserved for future reference.

18. Disciplinary Actions:

Violation of this policy may result in disciplinary action which may include termination for
employees and temporaries; a termination of employment relations in the case of contractors or
consul t ant s; or dismissal for in terns and volunteers. Additionally, individuals are subject to
loss of ONE Bank Information Resources access privileges, civil, and criminal prosecution.

19. Green Banking
We, at ONE Bank, are responsible corporate citizens. We believe that every small 'GREEN' step
taken today would go a long way in building a greener future and that each one of us can work
towards a better global environment.
Environmental concern is at the centre of the Green Banking strategy. An increasing number of
banks are strengthening green banking activities by launching environment friendly initiatives
and providing innovative green products.
As an environmentally responsible Bank, some of our Green Banking Initiatives are as follows:
Initiating In-house Environment Management
Training & Environment friendly activities for employees to make them environmentally
concerned.
Adherence to Environmental Risk Management guidelines.
Introduction of green banking products & services.
Financing green projects.
Building awareness & providing support to customers to be more environmentally
responsible.
Supporting the environment friendly initiatives as a part of CSR activities.
Forming alliance with NGOs or other environment focused organizations for our green
banking activities.

29 | P a g e

Benefits of Emerging Technology:
The emerging Information and Communication Technologies (ICT) and E-business can add
value through knowledge management as it helps to attain new services to the customers.
Successful e-business depends on sharing of strategic knowledge for which dissemination of the
information and free flow of knowledge around the globe is required. On line banking can
provide twenty four hours banking facilities. Through electronic data interchange customers are
able to draw money from one branch to another. Letter of credits can be sent through SWIFT or
electronic fund transfer from one country to another can be feasible. Actually on line banking
provides faster, reliable services. Encryption and decryption can be used to send money from one
place to another. As such on line bank management handles customers in a far better way.
Benefits of Nation:
Increased productivity:
Rapid mobilization of funds through emerging Information and Communication Technologies,
and e- banking can ensure increased productivity of economy and proper use of the resources.
Contribution to GDP:
Banks with a national economy, work towards building national capital, increasing national
savings and mobilizing investments in trade and industry.
Infrastructure Development: Bank providing Technical services and e-baking services are
developing themselves in infrastructure thus government face comparatively less burden for
infrastructure development.
Facilitating international trade: Banks providing immense banking facility for international
trading especially in readymade garments sector, frozen shrimp, jute pharmaceuticals sector.
Job creation: Unemployment is a great threat to development ,IT development in banking
creating new types of job like system analyst, data control manager etc.
Industrial Development: Due to rapid mobilization of savings and facilitating export and
import e-banking is contributing to the faster contribution to Bangladesh.
Benefits of Banks
Profit Maximization: E- banking leads to lower cost for the banks also ensures better profit
from innovative products in this section thus helps banks to maximize the profit of the owners.
Expand beyond geographic reach: ICT and e baking enabling the banks to expand their
services beyond the geographic reach thus becoming internationally competitive.
30 | P a g e

Rapid growth: Banks providing innovative and fast e- banking service will experience rapid
growth in this industry, will increase its customer base and become a brand name in banking
industry.
Cut down cost: Information System and E- banking services causes low cost of providing
services than manual. It also reduces maintenance cost to bankers
Benefits to customers:
Time savings: The main benefit from the bank customers point of view was significant saving
of time by the automation of banking services processing and introduction of an easy
maintenance tools for managing customers money. The main benefits of e-banking were as
follows:
Continuous access to account information: customers can access to their account information
any time 24 hours a day, 7 days in a week.
Dont require physical interaction: in case of transaction customers dont require to present
physically thus fell convenient to transact.
Better cash management: Much better cash management can insure through new ICT e-
banking as cash can be easily available.
Reduced costs: This was in terms of the cost of availing and using the various banking products
and services.
Convenience: All the banking transactions performed from the comfort of the home or office or
from the place a customer wants to.
Speed: The response of the medium was very fast; therefore customers actually waited till the
last minute before concluding a fund transfer.
Reduced risk: As cash can be transacted without physical appearance can move with the help of
credit card, smart card it is less risky.
In Bangladesh most of the business organizations are running centralized manner. As such
visions, missions, goals of the top management of various organizations are very important. Top
management should change their mindset and like Bangladesh Bank, they should encourage e-
business process. Top management views are reflected to the mid level management and lower
level management. Unfortunately most e-business efforts fail for non-performing visions,
missions, goals and tactics at the business processes of the organization.
31 | P a g e

Conclusion:
This study aims to develop a framework for best practice in ICT projects for knowledge sharing
in development. It begins with a discussion of the role of ICTs in development and a review of
literature about connecting the first mile. It suggests that findings are polarized around key
debates:
Top down versus participatory solutions to development problems
Global versus local solutions
Technological versus social solutions
Optimism versus pessimism about the role of ICTs in development
The study situates Practical Actions perspective in the context of those debates and identifies the
success factors highlighted in the literature. These can be divided into three dimensions: the
environment, the project level and the first mile. For each of the success factors, the framework
outlines activities that constitute best practice.
The security of a system is the extent of protection against some unwanted occurrence such as
the invasion of privacy, theft and the corruption of information or physical damage. At this
system is developed through the internet there is a big chance of hacking through our system.
Current browsers counter security threats with a network communication protocol called secured
sockets layer (SSL). SSL is a set of rules that tells computers the step to take to improve the
security level of the communication.
Significant factors to address at the environmental level are the policy environment,
infrastructure limitations, building a good relationship with donors and communicating project
progress. At the project level, success factors are identified as: starting from communities
development priorities; planning projects effectively; learning from monitoring and evaluation;
forging strong partnerships; developing a sustainable business model and building capacity
among all partners to deliver.
The study concludes suggestions for further research which include testing the framework
against a sample of case studies and offers reflections on the application of the framework in the
context of research into ICTs for development.
The Common Problems Dealt by One Bank Limited with ICT:
Incompatible software - update the system or consult IT help!
Mistyping the text - this is in two types: (Transcription - using the wrong letter, e.g.
typing gat instead of hat; or transposition, which is flipping two letters around e.g. typing
aht instead of hat)

32 | P a g e

Not understanding how to use it/inexperience Upto the mark training programs for
related personnel.
Prepare Shift Schedule- One Bank has a well established schedule in place.
Software crash - use backups and a variety of storage devices i.e. memory stick, CD
ROM
Health problems (e.g. shoulder strain, RSI, eyes hurting) One Bank allows greater
flexibility and to take regular breaks every few hours
When it comes to entering data into a table or a spreasheet or something, information
often gets missed out or typed incorrectly, One Bank combat this using a variety of
validations e.g. lookups, type checks, input masks etc.
Numerous problems have been identified from the field survey on line banking system in
Bangladesh. Some of them are in the followings:
Limited number of branches
Lack of proper Strategic plan to gain and retain market share.
Lack of international standard communication channel.
High cost of establishing online banking system.
Inadequate back and front office management.
Lack of integrated plan among the banks and the Central Bank authority.
Inefficient Clearing House Facilities.
Inappropriate software and less trust by the Bank authorities on local software.
Biasness of the management of bank towards foreign software.
Unavailability of locally produced software
Legal barriers and appropriate policy framework.

The number of customers taking banking services does not capable to bear the cost of additional
equipments like computer, computer accessories , Internet etc. from their own organization or at
home. Biometrics should be more strengthened. Using Internet facility still very costly and
people has little knowledge in operating computers. A few numbers of cyber caf is available but
for banking purpose customers do not feel safe to use these facilities. As a result total numbers of
customers who are habituated in on line banking systems are limited. Nevertheless, investment
for establishing e -banking facilities still seems profitable.