Call Now

Get The App


Security Policy

Large corporations like banks, financial institutions need to have a laid down framework for security with properly defined organizational structure.



  • Information Security Policies, Procedures, and practices: The security policy is basis on which detailed procedures and practices are developed and implemented.
  • User Security Administration: Refers to security for various users like how users are created and granted access.
  • Application Security: Refers to how security is implemented on application and transactions.
  • Database Security: Refers to various aspects of implementing security for the databases.
  • Operating System Security: Refers to security for operating system software which is installed in the servers and systems.
  • Network Security: Refers to how security is provided at various layers of network and connectivity to the servers.
  • Physical Security: Refers to security implemented through physical access controls.




Key IT Controls

Potential Loss of confidentiality, availability and integrity of data and system.

Vendor default passwords for applications systems, operating system, databases, and network and communication software are appropriately modified, eliminated, or disabled.

User accountability is not established.

All users are required to have a unique user id.

It is easier for unauthorized users to guess the password of an authorized user and access the system and/ or data. This may result in loss of confidentiality, availability and integrity of data and system.

The identity of users is authenticated  to the systems through passwords.

The password is periodically changed, kept confidential and complex (e.g., password length, alphanumeric content, etc.)

Security breaches may go undetected.

Access to sensitive data is logged and the logs are regularly reviewed by management.





The objective of internal control system is to ensure orderly and efficient conduct of business, ensuring accuracy and completeness of the accounting record and timely preparation of the reliable financial information.

Internal Controls in Banks

Some examples of internal controls in bank branch are given here:

  • All books are to be balanced periodically.
  • Job rotation.
  • Branch managers must send periodic confirmation to their controlling authority
  • Details of lost security forms are immediately advised to controlling so that they can exercise caution.
  • Fraud prone items like currency, valuables, draft forms, term deposit receipts, traveler’s cheques and other such security forms are in the dual custody of at least two officials of the branch.
  • Financial and administrative powers of each official/ position is fixed and communicated to all persons concerned.
  • Work of one staff member is invariably supervised/ checked by another staff member, irrespective of the nature of work (Maker-Checker process).


IT Controls in Banks

IT risks need to be mitigated by implementing the right type and level of controls in the automated environment.

  • The system maintains a record of all log-ins and log-outs.
  • Access to the system is available only between stipulated hours and specified days only.
  • Users should be given access only on a ‘need-to-know basis’ based on their role in the bank.
  • Whether amount withdrawn is within the drawing power.
  • The system flashes a message if the balance fall below the permitted limit.
  • If the transaction is sought to be posted to a dormant (or inoperative) must be authorized only with a supervisory password.
  • A user timeout is prescribed.

Explore All Chapters