Appendix B

NETWORK CONTROLS: 

1. Security Bank shall implement adequate security measures on the internal networks and network connections to public network or remote parties. The Bank shall segregate internal networks into different segments having regard to the access control needed for the data stored in, or systems connected to, each segment.
2. Security Bank shall properly design and configure the servers and firewalls used for the e-banking services either internet-based or delivered through wireless communication networks (e.g., install firewalls between internal and external networks as well as between geographically separate sites).
3. Security Bank shall deploy strong and stringent authentication and controls especially in remote access or wireless access to the internal network.
4. Security Bank shall implement anti-virus software, network scanners and analyzers, intrusion detectors and security alert as well as conduct regular system and data integrity checks.
5. Security Bank shall maintain access security logs and audit trails that are analyzed for suspicious traffic and/or intrusion attempts.
6. Security Bank shall ensure that wireless software for wireless communication network includes appropriate audit capabilities (e.g., recording dropped transactions).
7. Security Bank shall develop built-in redundancies for single points of failure which can bring down the entire network.  

OPERATIONG SYSTEM CONTROLS: 

1. Security Bank shall harden operating systems by configuring system software and firewall to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates and patches recommended by system vendors.
2. Security Bank shall change all default passwords for new systems immediately upon installation as they provide the most common means for intruders to break into systems. 

ENCRYPTION CONTROLS: 

1. Security Bank shall implement encryption technologies that are appropriate to the sensitivity and importance of data to protect confidentiality of information while it is stored or in passage over external and internal networks.
2. Security Bank shall choose encryption technologies that make use of internationally recognized cryptographic algorithms where the strengths of the algorithms have been subjected to extensive tests.
3. Security Bank shall apply strong “end-to-end” encryption to the transmission of highly sensitive data (e.g., customer passwords) so that the data are encrypted all the way between customers’ devices and Bank’s internal systems for processing the data. This would ensure that highly sensitive data would not be compromised even if the Banks’ web servers or internal networks were penetrated. 

WEBSITE AND MOBILE BANKING AUTHENTICATION: 

1. Security Bank shall authenticate official website to protect Bank customers from spoofed or faked websites. We determine what authentication technique to use to provide protection against these attacks.
2. Security Bank shall adopt authentication protocols that are separate and distinct from those provided by the wireless network operator for wireless applications. 

PHYSICAL SECURITY:

1. Security Bank shall house all critical or sensitive computers and network equipment in physically secure locations (e.g., away from environmental hazards, unauthorized entry and public disclosure, etc.).
2. Security Bank shall implement physical security measures such as security barriers (e.g., external walls, windows); entry controls (e.g., biometric door locks, manual or electronic logging, security guards) and physical protection facilities/devices (e.g., water and fire detectors, uninterruptible power supply (UPS), etc.) to prevent unauthorized physical access, damage to and interference with the e-banking services.

DEVELOPMENT AND ACQUISITION: 

1. Security Bank shall separate physical/logical environments for systems development, testing and production.
2. Security Bank shall provide separate environments for the development, testing, staging and production of internet facing web-based applications; connect only the production environment to the internet. 

IT PERSONNEL TRAINING: 

1. Security Bank shall provide appropriate and updated training to our IT personnel on network, application and security risks and controls so that they understand and can respond to potential security threats.

SERVICE PROVIDERS: 

1. Security Bank shall perform due diligence regularly to evaluate the ability of the service providers (e.g., internet service provider, telecommunication provider) to maintain an adequate level of security and to keep abreast of changing technology.
2. Security Bank shall ensure that the contractual agreements with the service providers have clearly defined security responsibilities. 

INDEPENDENT AUDIT, VULNERABILITY TEST AND PENETRATION TESTING: 

1. Security Bank shall conduct regular audits to assess the adequacy and effectiveness of the risk management process and the attendant controls and security measures.
2. Security Bank shall perform vulnerability tests or assessments to evaluate the information security policies, internal controls and procedures, as well as system and network security of the bank. Assessment should also include latest technological developments and security threats, industry standards and sound practices.
3. Security Bank shall conduct penetration testing at least annually. For audit and tests, these are conducted by security professionals or internal auditors who are independent in the development, implementation or operation of the e-banking services, and have the required skills to perform the evaluation; and for e-banking services provided by an outside vendor or service provider, we ensure that the above tests and audit are performed and the bank is provided with the results and actions taken on system security weaknesses. 

INCIDENT RESPONSE: 

1. Security Bank shall provide appropriate and updated training to our IT personnel on network, application and security risks and controls so that they understand and can respond to potential security threats.