INFORMATION TECHNOLOGY POLICY 20-08-2015
THE GUNTUR DISTRICT
CO-OPERATIVE CENTRAL BANK LTD.,
- Reasons for having this policy:
All “The Guntur District Co-operative Central Bank Ltd.,Tenali” ‘s (henceforth is called as the Bank) Information Technology facilities and information resources remain the property of the Bank and not of particular individuals, teams or departments.
Byfollowing this policy we’ll help ensure IT facilities are used:
- Legally and securelywithout undermining the Bank.
- Effectivelyin a spirit of co-operation, trust and consideration for othersso they remainavailable.
The policy relates to all Information Technology facilities and servicesprovided by the Bank. All staff and other authorized users(Internal Auditors,Statutory Auditors,Controllers etc…) are expected to adhere to it.
- Disciplinary Measures:
Deliberate and serious breach of the policy statements in this section willlead to disciplinary measures as per Award provisions and also as per IT Act 2000 and IT (Amendment) Act 2008 of Govt. of India.It may also include the offender being deniedaccess to computing facilities.
Every user must take care to use software legally in accordance withboth the letter and spirit of relevant licensing and copyright agreements.Copying software for use outside these agreements is illegal and may resultin criminal charges.
- The User should not attempt to gain unauthorised access to information orfacilities.The IT Act makes it a criminal offence toobtain unauthorised access to any computer (including workstations and PCs)or to modify its contents. If a user don not have access to informationresources, and feel he/she need, contact the IT Support persons or officials.
- The user should not disclose personal system passwords or other security detailsto other staff, volunteers or external agents and not to use anyone else’slogin. This compromises the security of the Bank. If someone else gets to knowthe password, ensure to change it immediately or get support of IT Department.
- The user should leave his/her Computer unattended without logging off, he/sheisresponsible for any misuse of it by others when he/she is away.
- The User should check the system/client for viruses, even if he/she thinks that they areclean. Contactthe IT personnel to find out how. Computer viruses are capable ofdestroying the Bank’s information resources. It is better to be safe than sorry.
2.3. Information about people: If the user is recording or obtaininginformation about individuals make sure that, DataProtection rules and regulations are not violating.
2.4. Internet/E-mail: The user is a representative of the Bank, when he/she is on the Internet usingemail, he/she has to
- Make sure that, his/her actions are in the interest (and spirit) of the Bank anddonnot leavethe Bank open to legal action.
- Avoid trading insults with other people using the Internet withwhom he/she disagree.
- Not towrite,publish,look for,bookmark,accessor download anything thatcontains Obscenities or Pornography.
2.5 Electronic Monitoring: Any information available within the ITfacilities must not be used to monitor the activity of any individual staff inanyway (e.g. to monitor their working activity, working time, filesaccessed, Internet sites accessed, reading of their email or private filesetc.) without their prior knowledge.
- in the case of a specific allegation of misconduct, when the Management Team can authorise accessing of such information when investigating the allegation
- When the IT section cannot avoid accessing such information whilst fixing a problem. In such instances, the person concerned will be informed immediately andinformation will not be disclosed wider than is absolutely necessary. Inthe former case their access to IT facilities may be disabled pendinginvestigation.
- IS Audit Policy:
The purpose of IS Audit is to review and provide feedback, assurance and suggestions on the concerns of the management with regard to integrity and effectiveness of systems and control.The IS audit aims to provide reasonable assurances on test basis regarding the adequacy of the controls used in the governance over IS resources to cover all the major and common types of audit, viz. Systems Audit, Application Audit, Compliance Audit, Security Audit, Performance Audit, etc.
The key features that must becovered under this IS Audit are as given below.
- Availability of Information Systems to carry out the business without any disruptions.
- Protection to the Information Systems against all types of losses and disasters.
- Provision of Uninterrupted Power Supply Systems to keep the Systems available all the times preventing service disruptions due to Power outage.
- Systems up gradation to the existing business environment.
The information in the systems has to be disclosed only to those who are authorized to see and use it and not to anyone else.
- The information provided by the Systems always to be accurate, reliable and timely. To ensure that, no unauthorized modification made to the data or the software in the system.
- Security violations, Loopholes in Information Systems design and Programming errors. Inadequate logical access controls and poor procedural controls.
- Ineffective employee supervision and Management controls.
- Quality of services to the customers.
- Employees’ performance appraisal and necessity of additional training.
- Suggesting updations to the checklists of Internal Auditors of the Bankto keep in tune with latest developments in its area of operations and in its policies and procedures.
- To identify inconsistent data and to compare data with physical books of accounts/forms available in the system.
In addition to the above,the following are also to be complied in the process of IS Audit. They are
- While engaging outside computer agencies, Bank should make an agreement with vendor to take care of probable data leakage.
- To ensure to incorporate the “clause of visitorial rights” in the contract, so as to have the right to inspect the process of application and also to ensure the security of the Data / Data Centre / Disaster Recovery Centre / inputs given to the outside agencies while conducting IS Audit.
- Entire domain of IS activities (from policy to implementation) should be brought under scrutiny of ‘Inspection and Audit Department’.
- Financial outlay as well as activities to be performed by IS department should be reviewed by the Senior Management / Audit Committee of the Board of Management at periodic intervals.
- The Information Systems Auditor is to provide a report in an appropriate form, upon completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to state the findings, conclusions and recommendations with respect to improvement in data integrity, system effectiveness and system efficiency.
- Email Policy:
4.1. When to use email:
- Use it in preference to paper to reach people quickly (saving timeon photocopying / distribution) and to help reduce paper use. Think andcheck messages before sending (just as you would a letter or paper memo).
- Use the phone (including voicemail if no reply) for urgentmessages (email is a good backup in such instances).
- Use the Bank’s intranet (not email) to communicate all relatively staticinformation (e.g. policy, procedures, briefing documents, referencematerial and other standing information). Record information on theintranet in a well-structured manner, (consulting with the Web SystemsAdministrator as appropriate). Use email merely as a pointer to draw attention to new and changed information on the intranet.
4.2. Use of Distribution Lists:
- Only send Email to those it is meant for; don’t broadcast (i.e. send to large groups of people using email aliases) unless absolutely necessary since this runs the risk of being disruptive. Unnecessary (or junk) email reduces computer performance and wastes disc space.
- Use the standard aliases for work related communication only.
- Don not broadcast other non-work related information or requests (e.g. information or opinions on political matters outside the scope of the Bank’s campaigning, social matters, personal requests for information etc.)
- Keep the Bank’s internal email aliases internal. When sending an email both to the Bank alias and outside of the Bank, use the alias as a blind carbon copy (i.e. the bcc address option) so that the external recipient does not see the internal alias.
- Don’t broadcast emails with attachments to large groups of people, thishelps to reduce load on the network.
4.3 General points on email use:
- When publishing or transmitting information externally, be aware that you are representing the Bank and could be seen as speaking on the Bank’s behalf. Make it clear when opinions are personal. If in doubt, consult your IT Officer.
- Check your in-tray at regular intervals during the working day. Keep your in-tray fairly empty so that it just contains items requiring your action. Try to decide what to do with each email as you read it (e.g. delete it, reply to it, save the whole email in a folder, or extract just the useful information and save it somewhere logical).
- Keep electronic files of electronic correspondence, only keeping what you need to. Don’t print it off and keep paper files unless absolutely necessary.
- Use prefixes in the subject box whenever appropriate.
- Treat others with respect and in a way you would expect to be treated yourself (e.g. don’t send unconstructive feedback, argue or invite colleagues to publicise their displeasure at the actions / decisions of a colleague).
- Don’t forward emails warning about viruses (they are invariably hoaxes and IT Support will probably already be aware of genuine viruses – if in doubt, contact them for advice).
4.4 Email etiquette :
- Being courteous is more likely to get you the response you want.Do address someone by name at the beginning of the message, especially if you are also copying another group of people.
- Make your subject headers clear and relevant to your reader(s)e.g.
- Don’t use subject headers like “stuff”
- Don’t send a subject header of, say “accounts” to the accountant
- Try to keep to one subject per email, especially if the content is complex.
- Don’t open email unless there is a reasonably good expectation of what it contains,
- Do open report.doc from an Internet colleague you know
- Don’t open explore.zip sent from an address you’ve never heard of, however tempting. Alert IT Support if you are sent anything like this unsolicited.
This is one of the most effective means of protecting the Bank against email virus attacks.
- Keep email signatures short. Your name, title, phone/fax and web site address may constitute a typical signature.
- Understand how forwarding an email works.If you forward mail, it appears (to the reader) to come from the originator (like passing on a sealed envelope).If you forward mail *and edit it* in the process, it appears to come from you – with the originator’s details usually embedded in the message. This is to show that the original mail is no longer intact (like passing on an opened envelope).
4.5 Usage of mail
- All the staff members should make use of E-Mail IDs allotted by the Bank in the domain “gunturdccb.com” and check the mail box regularly.
- All the Branch Managers should verify the Branch Mail box very frequently, i.e., atleast hourly once.
- ITCELL :
- IT Cell of the Bank holds the responsibility of implementing the IT Policy of the Bank and to take steps for the Processing of information and Controlling the User operations of the IT System within the Bank.
- The IT Cell has to render support to all the users of the Bank in co-ordination with other sections in respect of providing login facilities and controlling them time to time and to report immediately to the Authorities about lapses or missuses noticed by it.
- It has to study the Technology updations in the Business Environment taking place from time to time and appraise to the Authorities about the usefulness of the adaptation in increasing the Bank’s profitability.
6.1Hardware and Software:
All purchases should be made after the approval by the ITProfessionals preferably through the IT budget.
6.2 Installing Software:
Get permission from IT Support before youinstall any software (including public domain software) on equipmentowned and/or operated by the Bank.
6.3 Data transfer and storage on the network:
- Keep master copies of important data on the Bank’s network and notsolely on the PC’s local C: drive or Memory discs (CDs/DVDs).Otherwise it will not bebacked up and is therefore at risk.
- Ask for advice from IT Support if needed to store, transmitor handle large quantities of data, particularly images or audio and video. These large files use up disc space very quickly and can bring your network to a standstill.
- Be considerate about storing personal (non-Bank) files on the Bank’s network.
- Don’t copy files which are accessible centrally into your personal directoryunless you have good reason.
6.4Use of facilities for leisure or personal purposes (e.g. sendingand receiving personal email, playing computer games and browsing the Internet) is not permitted due to the following reasons.
- It incurs expenditure for the Bank.
- It impacts on the performance of the job (this is a matter betweeneach member of staff,Officials)
- It breaks the law
- It will bring the Bank into disrepute.
6.5 Care of equipment:
- Don’t re-arrange how equipment is plugged in (computers, power supplies,network cabling, modems etc.) without first contacting IT Staff.
- Don’t take food or drink into rooms which contain specialist equipment like servers,Power Systems etc. Access to such rooms is limited to authorised staff only.
- All the users should take care of the hardware allotted to them as well as the Computer Hardware, UPS Systems, Routers and modems etc. of that branch.
- The users should keep all the Hardware very clean.
- The Branch Manager may entrust the watering of earthing pits to the Messenger of the Branch and see that wetness condition is maintained in the earthing pits
6.6 Hardware Protection
All the computer Hardware and UPS systems should be covered under Electronic Insurance Policy.
6.7 User ID creation
User IDs should be created by the IT Cell as per the orders of the Chief Executive Officer of the Bank only. User IDs and Roles should be allotted to each and every employee other than VI cadre employees, i.e., Messengers.
6.8 Password policy
Password should contain atleast 8 characters and should be alphanumeric, i.e. combination of alphabets, numerals and special characters, which is easy to remember.
- The users should not note down User ID or password on paper or any material.
- The users should not disclose / reveal User ID or password to any other staff members.
- The users should not exchange among any other staff members.
- The users should not work on any other staff members User ID.
- The users will be held responsible for any uneventful incidents if happened in their role.
- The Auto screen lock will be done within 2 minutes and the monitor will go in sleep mode.
6.9 Bio-Metric Registration
- All users should be registered for Bio-Metric access.
- All the users should ensure “proper login” into the ID allotted to them and make transactions in their own login credentials and make use of Bio-metric.
- Further all the staff members are advised to note that if any untoward instance or fraud occurs, the staff member to whom the ID belongs will be held responsible whenever the user was requested for disable of Bio-Metric.
7.0 Unblocking of User IDs
If any user enters to login with wrong password five times in a row, the user gets blocked by the system automatically. If the user likes to unblock his user id, he / she should request the IT Cell through his own mail ID besides contacting the System Administrators of IT Cell. After the instructions of AGM (IT), the System Administrator will unblock the user ID.
7.1 Password Reset
If any user forgot his password, he / she should request the IT Cell through his own mail ID besides contacting the System Administrators of IT Cell. After the instructions of Asst. General Manager (IT), the System Administrator will reset the password for the user. The user should create new password immediately on receipt of password from the IT Cell.
7.2 Role changing / transferring from one branch to another branch
- If any user would like to proceed on leave / to attend outdoor work, he / she should intimate to the Branch Manager well in advance so as to make necessary alternate arrangements.
- The Branch Manager should make a leave entry in CBS for the user, who will be proceed on leave and inform the same to the Manager / Asst. General Manager / Deputy General Manager of the Establishment section through mail immediately so as to make necessary role changes for the users of that branch / depute or transfer of a user from another branch.
- The Manager / Asst. General Manager / Deputy General Manager of Establishment section should inform the details of the roles changing of users to the IT Cell atleast one hour before the branch operations starts and also authenticate the same in the register maintained for that purpose.
7.3 Blocking of Users due to Retirement / Dismissal / Death / Suspension from duties as a part of disciplinary action
- The Establishment section should inform the details of users to be blocked to the IT Cell, due to their retirement / dismissal / death / suspension from duties as a part of disciplinary action.
7.4 EOD / SOD
- Branches should complete the Branch Sign-In and Sign-Out within the time. The branches should Sign-Out within the time more particularly on Month Endings, Half Year endings and Year Endings so as to perform EOD and SOD operations by the IT Cell, which will take much more time than normal days.
- The users should not left the branch until the branch was Sign-Out and also confirm with the Branch Manager / Passing Officer that all the transactions / modifications, which were made by them were get authorised before proceed to leave the premises.
CHIEF EXECUTIVE OFFICER