Information & Communication Technology

(ICT) Risk Management:

Bangladesh Bank Guidelines
Present status at MBL

A.K.M. Atiqur Rahman

Senior Executive Vice President & CTO
 Risk Definitions
• Risk Definition: A Risk is a potential or future event that, should it
occur, will have a (negative) impact on the Business Objectives of an
Organisation
• A risk must have Uncertainty, (in terms of Probability or
Likelihood). It might happen
• A risk must have a measurable Impact, (usually measured in
monetary terms, but other criteria are acceptable, reputation for
example)
• “It May Rain Tomorrow”

• Issue Definition: An Issue is a current event that will have a (negative)

impact on the Business Objectives of an Organisation
• E.g. An Incident, a manifested risk, an Audit Non-Compliance
finding, an Equipment or Supplier failure
• “It is Raining Today”
 What is Risk Management?
The identification of Risks and their management by defining:
• The Risk Description
• The Risk Owner
• The Probability of the Risk Event occurring
• The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a
Business Objective
• The most suitable Mitigations that will prevent or reduce the Likelihood of the
Risk Event occurring with relation to their costs and the reduction of Risk
Exposure
• The Contingency Plan to recover the Asset once risk is manifested
• An understanding of Corporate Risk Appetite and where appropriate the
application of Risk Tolerance
 Objectives of Generic Risk Management
To ensure that all risks to the Business however they are derived are
managed effectively.

Strategic Risk Register

Strategic
Level

Strategic Risks

This includes:
• Strategic Risks Change
Level
• Programme and Project Risks Project Risk Register
Programme/Project Risks
• Operational Risks (includes
Security and Business
Continuity Risks) Operational Risk
Register
Information
Operational Level
(Business as Usual) Security Risk
Register

Operational Risks BAU

Business
continuity
Objectives of Information Security Risk
Management
To ensure that the risks to the Organisation that are
derived from Incidents, Threats, Vulnerabilities and Audit
non-compliances are managed effectively.
In Security Terms these are those risks that impact the:
• Confidentiality,
• Integrity,
• Availability, and the
• Traceability of Information while:
– At rest
– While being modified
– In transit (around a system, e-mail, media device, telephone etc.)
 Information Security Risk Management
Risks within service provider environments

A risk may have the same Risk Description but two

separate impacts dependent on the Owner

e.g. Risk: patching may fail to complete in a timely

manner
1. Impact on IT Service Provider: Potential Commercial Penalties, Damage to Reputation
2. Impact on Client: Loss of Systems, loss of information, loss of revenue etc. etc.
 Mitigation Plans and Contingency
Plans
• Mitigations or Controls are primarily used to prevent
the occurrence of a risk or to reduce the Probability
of Risk occurrence - (Reduce Probability)
– This is why it is so important to describe the risk event
clearly.
• Contingency Plans address the Impact of the Risk plans and
are used to recover a system from the effect of a risk should it
occur, a mini BCP - (Reduce Impact)
• This is why it is so important to clearly describe the risk impact
separately from the risk description
 Standards
Select appropriate controls / use security standards
• ISO27000
• PCI DSS
• CObIT
• BITS SIG
• Bangladesh Bank ICT Security Guideline
 Guidelines for FI & NBFI

Guideline on ICT Security For Banks and Non-

Bank Financial Institutions
– May, 2015
– Version 3.0
 Our Organizational Standard
ICT Security Policy
– October, 2016
– Version 4.0
 ICT Security Policy
A security policy is a document that states in
writing how a company plans to protect the
company's physical and information
technology (IT) assets.
 Sample Security Policies
• Physical Security Policy
• Network Security Policy
• Email Security Policy
• Cyber Security Policy
• Risk Management Policy
• Change Management Policy
• Business Continuity Plan
 Procedures
• Standard Operating Procedure for-
– DC/DR Operation
– EOD operation
– Network Management
– Backup & restore
– Database Management
– System Management (scheduling, startup, shut-down, restart &
recovery)
 Infrastructure Security Management
• Asset Management
• Desktop/Laptop Device Controls
• BYOD Controls
• Server Security Controls
• Data Center Controls
• Server/Network Room/Rack Controls
• Network Security Management
• Cryptography
• Malicious Code Protection
• Internet Access Management
• Email Management
• Vulnerability Asset and Penetration Testing
• Patch Management
• Security Monitoring
Infrastructure Security Management
Access Control of Information System
User Access
Management

Password
Management

Input Control

Privileged Access
Management
What is BCP………
• Business continuity means maintaining the
uninterrupted availability of all key business
resources required to support essential
business activities.
 Why BCP-DRP….
Threats to Availability

DATA CORRUPTION COMPONENT FAILURE APPLICATION FAILURE

USER ERROR MAINTENANCE SITE OUTAGE

 BCP

Business Continuity
Plan

Disaster Recovery Plan

Data Backup &

Restore Management
 Document Plans
• Organization of the Teams
• Detailed Procedures – Technical & Manual
Workarounds
• Emergency Response Flow
• Emergency Contact Lists
• Crash Kits
 The Approach……..
• Step one: Key IT Assets identification and Risk Analysis
• Step Two: Business Impact Analysis
• Step Three: Design Continue treatments
• Step Four: Document the plans
• Step Five: Implement Continue Treatments
• Step six: Test/Exercise the plans
• Step six: Training…
 Acquisition and Development of
Information Systems
• ICT Project Management
• Vendor Selection for System Acquisition
• In-house Software Development
• Software Documentation
• Statutory Requirement
 Alternate Delivery Channel Security
Management
• ATM/POS Transaction
• Payment Cards
• Mobile Financial Services
 Service Provider Management
• Outsourcing
• Cross-border System Support
• Service Level Agreement
 Customer Education
• Awareness Program
– Shall create and publish proper content
– Awareness building through leaflets & brochures, SMS,
Safety tips in account statements and envelopes
– Education material in account opening kits
– Receipts dispensed by ATM/POS
– Screensavers
– e.t.c.