INFORMATION RISK MANAGEMENT
AfrAsia Bank Limited recognises the critical importance of information security and places same as one of the essential preconditions for doing business. IT-related risk is any risk related to information technology. This relatively new term is due to an increasing awareness that IT risk is simply one facet of a multitude of risks that are relevant to banks and the real-world processes they support. The impact of an event on an information asset is usually taken to be the product of vulnerability in the asset and the asset’s value to its stakeholders. Thus, IT risk can be expanded to:
Risk = Threat × Vulnerability × Asset Value
IT risks are primarily grouped in three segments:
1. Confidentiality
2. Integrity
3. Availability
In AfrAsia Bank Limited’s IT set up, all three segments are evaluated and mitigated to the extent required to avoid any exposure to the Bank. The data with the Bank is kept confidential and any access to any system is only need-based i.e. on a need to know basis. Users are given access rights that are based on the roles that they are expected to play in the Bank. No one can login to any computer software without a valid ID and Password already approved by the Line Manager, reviewed by Compliance and activated by IT.
All transactions that take place are undertaken following a four eyed principle i.e. with maker and checker that ensure the integrity of the data. There are segregation of duties between Sales, Business Operations, Finance and Credit. All these play their role to validate the date and check the overall integrity of data. IT happens to be the custodian of data and does not have any access or right to update any data either from application or from Database. A clear demarcation is maintained in IT for the Production and test environments. Any update is not put to live systems unless tested and certified by users.
A detailed Business Continuity Plan is in place and is updated every year to ensure that the business will not come to a halt because of non-availability of the system. A Disaster Recovery Plan and DR Site is in place for every system in the Bank to make sure that business is available. Necessary and optimum redundancy is built up with respect to hardware, software and network. Annual maintenance contract and Service Level Agreements are in place to ensure that all the suppliers provide necessary service in time.
Various levels of information security have been addressed including:
- Physically, the IT data centre has been moved to a secure location out of Port Louis in a secure building with high-raised flooring, dual air-conditioning, dual UPS and automatic power generator facilities and fire-fighting equipment. Access to data centre is controlled via biometric access card
- The local area network is protected by firewall and all accesses to the various servers and services are password protected with expiry lifetime set
- Network is secured by firewall set at both hardware and software level with content filtering and network management tools to manage same
- Access to the core banking and internet banking system, SWIFT and other critical systems is managed by restricting access rights to given set of functionalities, thus limiting the range of operations for a given user as per requirement
- Firewall and antivirus software are in place for securing the network
- Email platform is secured through Symantec technology support and detection of unsolicited email is in place
- Use of secured email with encryption to transmit data to customer who can get access via secured portal
- Internet banking secured site has VeriSign SSL certification
- Data backup is taken on a daily basis and systems backups are done as per required frequency.
BUSINESS CONTINUITY MANAGEMENT (BCM)
Business Continuity Management Policy has been put in place, with appropriate plans to mitigate operational risks, and as a commitment to continue business to the Bank’s shareholders, customers and employees. The BCM framework has been implemented to provide for a Disaster Recovery site with data being updated as per preset recovery time objective. This minimises operational, financial, legal, reputational and other material consequences arising from any disruption.
The BCM Framework in place has the following in-built principles:
- Responsibility rests on the Bank’s Board of Directors and Senior Management
- Explicitly consider and plan for major operational disruptions
- Recovery objectives reflect the risk they represent to the operation of the banking system
- In a ‘worst case scenario’ the recovery time objective (RTO) is set as 24 hours to a maximum and certain functions may be recovered within the threshold of 4 hours after declaring a crisis. The recovery point objective is set to the state of business as of previous end of day.
- for the core banking system, the recovery point objective is set to 15 minutes as the data replication is scheduled every 15 minutes to the Disaster Recovery Site
- preparation for clear and regular communication during a major operational disruption
- highlights on cross-border communications during a major operational disruption, as the Bank has global reach
- ensuring that business continuity plans are effective and identify necessary modifications through periodic testing, and
- ensuring that appropriate implementing approaches to business continuity management that reflect the recovery objectives are adopted and reviewed periodically.
The Bank has put in place a BCM Steering Committee to review the processes after each testing exercise and reviews the policy every year in view to improve resilience as the Bank moves forward. The ultimate objective is to cater for any eventual disruption of operations to be restored in a minimum lapse of time and that the Bank will be back to normal operation within a reasonable time frame.
Following the floods disaster in March 2013, the Bank has moved its data centre to a safer zone and has an adequate Disaster Recovery Site. During this movement, all services were tested from both Main Site and DR site. The tests were done conclusively and the Bank was able to start its IT services from the new data centre on Monday 7th April 2014.
INTERNAL AUDIT
The Bank has adopted a three-layer control system:
Line management remains primarily responsible for establishing appropriate control over their operations, independent periodic assessment of the risks associated, the setting up of appropriate procedures and active walking-of-the job to identify lapses and bring in remedying measures. The Bank is committed to operate as per best industry practices as far as controls are concerned and to enforce day-to-day application. At the beginning of each financial year, all Executives and staff are assigned a number of appropriate control-related measurable performance indicators which have an equal weightage as normal commercial targets.
To safeguard the total independence of Internal Audit, the latter reports directly to the Audit Committee with a dotted line reporting to the CEO for day-to-day matters and the Bank has subscribed to the principle that Internal Audit has unfettered access to all the Bank’s records and information.
Internal Audit implements an annual inventory of all lines of business and operations followed by a risk assessment and risk scoring of each of these entities. Based on this risk assessment, an annual audit plan is drawn up and submitted to the Audit Committee for approval. The calendar of execution of the audits is known only to the CEO and Audit Committee.
The coverage of the Bank’s internal audit also includes the entities where the Bank has material shareholding interests.
The ultimate audit reports provide clearly identifiable examples in support of findings, highlight the risk associated with each finding, and provide concrete remedying recommendations, which together with an implementation date are agreed with line management prior to the issue of the reports. Every finding is allocated a rating depending upon the level of the associated risk. It is to be noted that internal audit will systematically allocate a higher risk rating where findings may be contrary to law or relate to deficient observance of regulatory guidelines.
Periodically, all departments are required to certify that all previous audit recommendations have been implemented and not allowed to lapse. Over and above, Internal Audit carries out checks to ensure such implementation.
A total of 21 audit reports have been issued during the period of July 2013 to June 2014 and as at date all related recommendations have been implemented.
For the forthcoming year the Bank is targeting to systematically conduct audits of entities at least per the following frequency:
| Risk rating of entity | No of Audits annually |
|---|---|
| High | 2 |
| Medium | 1 |
| Lows | once every two years |
During the financial year ended 30 June 2014, the Bank has strengthened its audit team through the recruitment of one Senior Audit Officer and one Audit Officer.