CBI MONEY UAB

Information System Security
Policies and Procedures

DOCUMENT CONTROL INFORMATION

VERSION CONTROL

This document is confidential in nature and any reproduction, copy, re-write by using the contents of this document will be treated under jurisdiction of General Copyright Act.The document is sole property of CBI MONEY UAB.

INTRODUCTION

OVERVIEW
The purpose and objective of this Information Security Policy is to set out a
framework for the protection of the organisation’s information assets:

§ to protect the organisation’s information from all threats, whether internal or external, deliberate or accidental.
§ to enable secure information sharing.
§ to encourage consistent and professional use of information.
§ to ensure that everyone is clear about their roles in using and protecting information.
§ to ensure business continuity and minimise business damage.
§ to protect the organisation from legal liability and the inappropriate use of information.
As required under the standards below:
§ the Law of the Republic of Lithuania on institutions
§ Republic of Lithuania Law on Financial Institutions
§ GDPR(General Data Protection Regulation) and PSD2 (Payment Services Directive 2)
It is the duty of the CBI MONEY UAB Board of Directors to assure that confidential customer information is safeguarded and protected.
1) Protects applicable records and information from any anticipated threats or hazards to the security or integrity of the records or information.
2) protects against unauthorized access to or use of applicable records or information that would result in substantial harm or inconvenience to the customer.
To accomplish the aforementioned objectives, this Information Security Program has been established to assure that customer, consumer, employee, and proprietary information is kept secure.
The institution’s Board of Directors is to oversee management’s efforts at developing, implementing, and maintaining an effective information security program, inclusive of approving this written Information Security Program.
Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability of information and is essential to the overall safety and soundness of an institution. Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value. The potential adverse effects can arise from the following:
§ No clear standards have been established for IT information security, and Financial Institutions policies have not been updated in time.
§ Disclosure of information to unauthorized individuals.
§ Unavailability or degradation of services.
§ Misappropriation or theft of information or services.
§ Modification or destruction of systems or information.
§ Records that are not timely, accurate, complete, or consistent.
§ institution employees did not regularly conduct safety training, so that they did not cultivate the correct safety awareness.
§ Failure to classify incidents of IT systems, analyze records, and learn from them.
§ Periodic risk assessments are not performed to determine the institution’s inherent and residual cyber security risk.
§ Do not providing adequate resources to effectively support the information security program.

CBIMONEY UAB should maintain effective information security programs commensurate with their operational complexities. Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities. In addition, because of the frequency and severity of cyber-attacks CBIMONEY UAB should place an increasing focus on cyber security controls, a key component of information security.
CBIMONEY UAB also assess and refine their controls on an ongoing basis. The condition of the institution’s controls, however, is just one indicator of its overall security posture. Other indicators include the ability of the institution’s board and management to continually review the institution’s security posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions. Information security is far more effective when management does the following:
§ Integrates processes, people, and technology to maintain a risk profile that is in accordance with the board’s risk appetite.
§ Aligns the information security program with the enterprise risk management program and identifies, measures, mitigates, and monitors risk.

Information Security Management Framework

CBI MONEY UAB’s information security framework helps align information security with its business goals and enables confidentiality, integrity, and availability of mission-critical business information assets. This Framework also enables the fundamental IT governance responsibilities which include:
§ IT must deliver value and enable the business.
§ IT-related risks must be mitigated.
The figure below outlines the key components of our framework based on a top-down approach. Each layer of the pyramid relies on the one above. The framework depicted below is closely in alignment with the ISO:27001 specifications for information security management systems.
CBI MONEY UAB’s security framework is based on the above model:
§ CBI MONEY UAB has the support of an executive sponsored security strategy based on the current Strategic Information Technology (IT) Plan 2021– 2025. It is important for the institution to have a strategy document that outlines the ISMS scope, security principles and values governing the CBI MONEY UAB’s security policy.
§ There are clear guidelines on the risk management approach for the institution. This risk management layer outlines how the institution would manage risks on an ongoing basis based on an evaluation criteria supported by tools and techniques. The institution intends to develop a comprehensive practical risk assessment procedures that link information security to business needs.
§ When a risk management framework exists, all information assets, newly acquired or developed go through a risk assessment process and risks are managed as appropriate so the security is not an afterthought.
§ A program policy is a high level organizational wide which has purpose and scope defined. More granular policies cover issues and system specific policies and outline a set of standards to follow. The various policies that need to be addressed are identified in the Policy and Procedure document. Additional standards to follow will be included in the policy and procedure document as appropriate.
§ The security architecture layer is key for setting some standards and guidelines and acts as a control selection layer based on the principles and values set forth in the security strategy. Architecture also provides the necessary technical foundation for an effective security strategy by defining the building blocks that makeup the overall security solution.

Annually, and in conjunction with the Board’s review with the Privacy Policy and the Information Security Program, the Information Security Officer is to prepare a Privacy and Information Security Risk Assessment that identifies and assesses inherent risks, identifies mitigating factors applicable to the aforementioned identified risks, and establishes ratings of the ensuing residual risks. The risk assessment is to be presented to the Board of Directors for its review and ratification.
The institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution’s activities.
In this regard, the institution must consider whether the following security measures are appropriate and adopt them accordingly:
§ Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
§ Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals.
§ Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.
§ Procedures designed to ensure that modifications (“patch management”) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution’s information security program.
§ Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
§ Monitoring systems (24 * 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
§ Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
§ Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

Risk Management Framework and Identification
Risk is the potential that events, expected or unanticipated, may adversely affect the institution’s earnings, capital, or reputation. Risk is considered in terms of categories, one of which is operational risk. Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Internal and external events can affect operational risk. Internal events include human errors, misconduct, and insider attacks. External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber-attacks, changes in market conditions, new competitors, new technologies, litigation, and new laws or regulations. These events pose risks and opportunities, and the institution should factor them into the risk identification process.
Although information security threats may take many forms and involve many devious means, certain types of attacks occur more frequently than others.

Internal and External Threat

According to the Standards of General Data Protection Regulation, a threat is any circumstance or event with the potential to create a loss.

Internal threat
An internal threat is any instance of a user misusing resources, running malicious code, or attempting to gain unauthorized access to an application. Examples include unauthorized use of another user’s account, unauthorized use of system privileges, and execution of malicious code that destroys data or corrupt a system. More significant internal threats may include an otherwise authorized system administrator who performs unauthorized actions on a system.
External threat
An external threat is an instance of an unauthorized person attempting to gain access to systems or cause a disruption of service. Examples include disruption / denial of service attacks, mail spamming, and execution of malicious code that destroy data or corrupt a system.
Malicious code attacks

Malicious code is typically written to mask its presence thus it is often difficult to detect. Self-replicating malicious code, such as viruses and worms, can replicate so rapidly that containment can become an especially difficult problem. Dealing with malicious code attacks requires special considerations.
Hacker / Cracker attacks
Hackers and Crackers are users who attempt to obtain unauthorized access to systems. Until recently, hackers and crackers used virtually the same surreptitious methods to intrude. The average hacker may sit at a terminal entering commands, waits to see what happens, and then enters more commands. Now, most cracking attacks are automated and take only a few seconds, which makes identifying and responding to them more difficult. Crackers generally use “cracking utilities”, (described above) which usually differ from conventional malicious code attacks in that most cracking utilities do not disrupt systems or destroy code. Cracking utilities are typical “a means to an end,” such as obtaining administrative-level access, modifying audit logs, etc.
Indications that a cracker or hacker may have compromised a system include the following symptoms:
§ Changes to directories and files.
§ A displayed last time of login that was not the actual time of last login.
§ Finding that someone else is logged into an individual’s account from another terminal;
§ Inability to login to an account (often because someone has changed the password).

Technical vulnerabilities
A vulnerability is a weakness in an information system, system security procedure, internal control, or implementation that could be exploited by a threat source. A technical vulnerability can be a flaw in hardware, firmware, or software that leaves an information system open to potential exploitation.
As opposed to an internal or external threat, a technical vulnerability is a “hole” or weakness in an information system or components (e.g., system security procedures, hardware design, and internal controls) that could be exploited to violate system security. Most of the currently known technical vulnerabilities in applications and operating systems have been discovered during development testing, user acceptance testing, certification and accreditation, security tests and audits.
In addition to technology-based vulnerabilities, weaknesses in business operational processes can create security vulnerabilities, exposing financial institutions to unwarranted risk. These vulnerabilities can include weaknesses in security procedures, administrative controls, physical layout, or internal controls that could be exploited to gain unauthorized access to information or to disrupt critical services.
In addition to the vulnerabilities within the institution’s system, vulnerabilities may also arise from interdependent and interconnected systems.

Risk Assessment

The risk measurement process should be used to understand the institution’s inherent risk and determine the risk associated with different threats. Management should use its measurement of the risks to guide its recommendations for and use of mitigating controls.
The CISO or their designee shall perform / facilitate an annual risk assessment. In performing these in-depth annual assessment reviews, the maturity level should be identified relative to the inherent risk of the institution. Furthermore, such assessment reviews should be summarized and a final report submitted for review with the board of directors. The summarized report should detail the inherent and residual cyber security risk, maturity level of the program, impact and likelihood of threats and the sufficiency of existing preventive, detective, and corrective controls in place to identify, manage, mitigate, and monitor risks.
The results of these annual assessment reviews will also be used by the CISO for enterprise wide considerations of oversight, level of controls, and planned next steps of action. In general, the assessment process consists of an Inherent Risk Profile, Cyber security Maturity, Framework Core & Tier Review, and a Threat & Controls Analysis.
Additionally, management could use a taxonomy for security-related events to help accomplish the following:
§ Map threats and vulnerabilities.
§ Incorporate legal and regulatory requirements.
§ Improve consistency in risk measurement.
§ Highlight potential areas for mitigation.
§ Select proper controls to cover various attack stages, channels, and assets.
§ Allow comparisons among different threats, events, and potential mitigating controls.

General Cyber Security Policy

Overview
Cyber security is the process of protecting consumer and institution information by preventing, detecting, and responding to attacks.
IT Department intentions for publishing “Acceptable Use Policy” are not to impose restrictions that are contrary to CBI MONEY UAB culture of openness, trust and integrity. IT Department is committed to protecting CBI MONEY UAB employees, partners, and the institution from illegal, damaging actions by individuals either knowingly or un-knowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of CBI MONEY UAB. These systems are to be used for business purposes in serving the interests of the institution, and of our clients and customers in the course of normal operations.
Effective security is a team effort involving the participation and support of every CBI MONEY UAB employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at CBI MONEY UAB. These rules are in place to protect the employee and CBI MONEY UAB. Inappropriate use exposes CBI MONEY UAB to risks including virus attacks, compromise of network systems and services, and legal issues.
Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct CBI MONEY UAB business or interact with internal networks and business systems, whether owned or leased by CBI MONEY UAB, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at CBI MONEY UAB and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with CBI MONEY UAB policies and standards, and local laws and regulation.
This policy applies to employees, contractors, consultants, temporaries, and other workers at CBI MONEY UAB, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by CBI MONEY UAB.
Policy
• General Use and Ownership

CBI MONEY UAB proprietary information stored on electronic and computing devices whether owned or leased by CBI MONEY UAB, the employee or a third party, remains the sole property of CBI MONEY UAB.
Must ensure through legal or technical means that proprietary information is protected.

CBI MONEY UAB has a responsibility to promptly report the theft, loss, or unauthorized disclosure of CBI MONEY UAB proprietary information.
Employees may access, use or share CBI MONEY UAB proprietary information only to the extent it is authorized and necessary to fulfill their assigned job duties.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.

• Security and Proprietary Concerns
All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy (Appendix A).
System level and user level passwords must comply with the Password Policy (Appendix B). Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
Postings by employees from a CBI MONEY UAB email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CBI MONEY UAB, unless posting is in the course of business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
• Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of CBI MONEY UAB authorized to engage in any activity that is illegal under local, international law while utilizing CBI MONEY UAB-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

• System and Network Activities
The following activities are strictly prohibited, with no exceptions:
§ Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by CBI MONEY UAB.
§ Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which CBI MONEY UAB or the end user does not have an active license is strictly prohibited.
§ Accessing data, a server or an account for any purpose other than conducting CBI MONEY UAB business, even if you have authorized access, is prohibited.
§ Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
§ Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
§ Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
§ Using a CBI MONEY UAB computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
§ Making fraudulent offers of products, items, or services originating from any CBI MONEY UAB account.
§ Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
§ Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
§ Port scanning or security scanning is expressly prohibited unless prior notification to IT Department is made.
§ Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
§ Circumventing user authentication or security of any host, network or account.
§ Introducing honeypots, honeynets, or similar technology on the CBI MONEY UAB network.
§ Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
§ Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
§ Providing information about, or lists of, CBI MONEY UAB employees to parties outside CBI MONEY UAB.
• Email and Communication Activities
When using CBI MONEY UAB resources to access and use the Internet, users must realize theyrepresent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company”. Questions may be addressed to the IT Department.
§ Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
§ Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
§ Unauthorized use, or forging, of email header information.
§ Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
§ Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
§ Use of unsolicited email originating from within CBI MONEY UAB’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by CBI MONEY UAB or connected via CBI MONEY UAB’s network.
§ Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Policy Compliance
• Compliance Measurement
The IT Department team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
• Exceptions
Any exception to the policy must be approved by the DGM, IT Department in advance.
• Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Network Management and Security

Overview
Network & its related security management is the most critical aspect to ensure to protect the most valuable assets and protect Customer Information from un-authorized access. institutions in general have an established layered security approach in network security management. However, considering the present cyber threat scenario, layered security may not be adequate practice to combat the cyber threat. In layered security, commonly “Trust but Verify” kind of approach is taken care with implementation of policies / access control and event log mechanism. institutions are to implement Zero Trust Security Model which “Don’t Trust always verify” kind of approach. Moreover, no user / event / component are treated as “insider” while designing the policies and procedures implementing the security mechanism.

Purpose
This policy is guiding over and above the present orchestration of network mechanism operational in the institution. It is not adequate only to ensure the device security, policy implementation but the design approach shall have to be corrected and implemented periodically by the institutions.

Scope
This policy is applicable to all system users, network administrators, third-party network monitoring organizations, network configuration and maintenance team. Including the IT Infrastructure Management team all the staff, and independent contractors.

Policy
There are some sub-policies under this master policy and are applicable as per the scope and purpose defined in this policy.
1. Routers and Switch Security Policy

Purpose
This section of the policy describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of the institution.

Scope
All employees, contractors, consultants, temporary and other staff at the institution and must adhere to this policy. All routers and switches connected to production networks or Test / UAT environment.

      <br />**Policy**<br />•        No local user accounts can be configured on any router.<br />•        IP Directed broadcasting, TCP Small Services, All source routing and switching, UDP small services, all web services running on router, Incoming packets sourced from invalid address, discovery protocol, auto configuration, Telnet, FTP, HTTPS must be disabled on router.<br />•        Dynamic trucking, scripting environments, TCL Shell services must be disabled.<br />•        Password-encryption, NTP configured to a corporate standard. <br />•        Use corporate standardized SNMP community strings.  Default strings, such as public or private must be removed.  SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems.<br />•        Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.<br />•        Access control lists for transiting the device are to be added as business needs arise.<br />•        Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.<br />•        Dynamic routing protocols must use authentication in routing updates sent to neighbors.  Password hashing for the authentication string must be enabled when supported.<br />•        The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:<br />o     IP access list accounting.<br />o     Device logging.<br />o     Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped.<br />o     Router console and modem access must be restricted by additional security controls.

2. Remote access tools Policy
Overview
Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access work computer systems from home, and vice versa. Examples of such software include LogMeIn, GoToMyPC, Team-viewer, Ammyadmin, VNC (Virtual Network Computing), and Windows Remote Desktop (RDP).

While these tools may have benefits, they also provide a back door into the institution’s network that can be used for theft of, unauthorized access to, or destruction of institution assets. As a result, only approved, monitored, and properly controlled remote access tools may be used on institution’s computer systems with prior approval from the of IT Department.

Purpose
This policy defines the requirements for remote access tools used at institution.

Scope
This policy applies to all remote access where either end of the communication terminates at a institution’s computer asset.

Policy
All remote access tools used to communicate between institution’s assets and other systems must comply with the following policy requirements.

All remote access tools or systems that allow communication to institution resources from the Internet or external partner systems must require multi-factor authentication. Examples include authentication tokens and smart cards that require an additional PIN or password.
· The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
· Remote access tools must support the institution’s application layer proxy rather than direct connections through the perimeter firewall(s).
· Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the institution’s network encryption protocols policy.

All institution’s antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.

1. Wireless Communication Policy
   With Smart Phones and Tablets being used more often wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threats.

Purpose
The purpose of this policy is to secure and protect the information assets owned by the institution. institution provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. institution grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

Scope
All employees, contractors, consultants, temporary and other staff at the institution, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of institution must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a institution’s network or reside on a institution’s site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.

Policy
General Requirements:
All wireless infrastructure devices that reside at a institution’s site andconnect to a institution’s network, or provide access to information classified as institution’s Confidential, or above must:
· Be installed, supported, and maintained by an approved support team.
· Use institution approved authentication protocols and infrastructure.
· Use institution approved encryption protocols.
· Maintain a hardware address (MAC address) that can be registered and tracked.
· Not interfere with wireless access deployments maintained by other support organizations.

4. DNS Security Policy
Overview
· institution shall adopt DNS Security to protect their valuable IT Asset rather than just relying on layered security approach i.e., deploying multiple security solutions like firewall, secure web gateways, intruder prevention system, end-point anti-virus solutions etc… Even after such deployments, malicious actors are persistent to gain access to critical system by exploiting security weaknesses. One such gap is vulnerable back door access that is recursive DNS.
· DNS resolvers perform one function i.e., they take human-readable domain name and find the corresponding IP Address of the server where the resource is located. The resolver either find IP address in cache or use recursive DNS server to reach through a hierarchy of DNS name servers and authoritative DNS Servers. By implementing DNS based security solution, institution will no longer resolve these DNS requests blindly.
· The DNS based Security solution will act as institution’s enterprise DNS server. It will check domain names against comprehensive up-to-date threat intelligence before resolving IP address.

Policy
institution shall adopt DNS Based Security Solution and put in place such a mechanism to continuously verify the up-to-date threat intelligence before resolving the IP address to the requestor. There should not be anything treated “insider” while configuring the DNS based security solution.
The threat intelligence that institution’s DNS Based Security solution shall be able to:
· Deliver intelligence that focuses on threats that are current and relevant.
· Draw from a broad and comprehensive volume of DNS and IP traffic so it is able to quickly identify global threat trends and detect threats before they are widely active.
· Differentiate between dedicated domains that have been created specifically for malicious use and legitimate domains that have been compromised.
· Provide very low rate of false-positive security alert so that institution’s security team isn’t wasting time and efforts investigating them.

Source Code Security Management

Overview
All project software source code resource management and use must adopt the company’s standardized method. The software source code management tool (software configuration management tool) must meet the safety requirements of the company’s approved information storage, authority management, data backup and recovery, and hardware server environment. The use of configuration management tools to manage the source code of the software project, without the company’s permission, is prohibited.

Purpose
In order to standardize the safe use, access, management, and protection of software source code during the company’s project development process and ensure its confidentiality, integrity, and availability, while safeguarding the company’s rights and intellectual property rights, this standard is formulated to make clear specification requirements for the definition, secure utilization, and management of the source code information assets of the company’s software products.
Scope
This specification applies to the management of all software source code information of the company (including branches at all levels). The “source code” in this specification refers to a general term, including source code, source files, resource files, pictures, etc.
This specification applies to all employees of the company.
Policy
• Source code confidentiality classification and definition

1. Confidentiality level definition
Each software source code creator must determine the confidentiality level of the project source code at creation.
The company’s definition of the confidentiality level of source code resources must be implemented in accordance with the following table. The source code creator cannot lower the confidentiality level standard but can increase the security level.

2. Determination, modification and decryption of information confidentiality period
The creator and user of source code determine its confidentiality period according to the definition of confidentiality level, and comply with departmental regulations, company policy and relevant legal regulations. When the confidentiality period of the source code is changed or decryption is required, the creator should submit application, and the change can be made only after the direct superior has approved the review.

3. Guidelines for using confidentiality level
The source code is generally stored in the form of an electronic document. The storage is managed by an authorized configuration manager for correct authority.
For the source code stored in the form of electronic documents that are classified as “confidential”, they are limited to release to employees within the project team and employees who have signed a confidentiality agreement and must access, and their authority management should comply with the company’s software configuration management specifications.
For non-critical source code or data files that are determined to be publicly available (such as marketing activities, etc.), the storage and authority management methods are customized by the department.
• source code safety management specification
1. Use of source code and rights management
All source code in the process of project development must be stored in the software configuration management system approved by the company, and the configuration manager shall be responsible for user authority management; the authority control strategy meets the requirements of the company’s software configuration management specifications;
The source code usage permissions in the project team are confirmed by the project leader and then set and opened by the configuration manager. If the project team members change, the project leader needs to approve and submit to the configuration manager for permission changes;
Colleagues in the same department outside the project team need to use or borrow the source code, they need to submit an application to the project leader for approval before submitting to the configuration manager for authorization.
When project members apply for resignation, the project leader shall notify the configuration manager to reclaim his project authority the same day, and the configuration manager is responsible for deleting all the source code in his machine within the specified time;
It is strictly forbidden to print source code documents to unattended public printers without authorization, and it is strictly forbidden to leak the source code to other unauthorized persons without authorization;
The company will regularly audit the access rights of the source code of each department to ensure that the application, setting and changes of access rights comply with this specification and other company related regulations;
The Legal Affairs Department is responsible for the protection of the company’s intellectual property security. If security loopholes in source code management are discovered, it should propose rectification opinions. The departments involved in the rectification should take timely measures to optimize management, and the legal department and the R&D management department should evaluate the optimization effect.

2. Source code backup and backup verification management
The source code stored uniformly on the software configuration management system approved by the company will be regularly backed up in the form of standardized data.
The source code backup management requirements are the following:
Data backup and daily maintenance of the server system need to be managed by a dedicated person, and operate in accordance with the data backup standards and server system maintenance standards required by the Management Engineering Department.
Backup strategy: daily incremental backup, weekly full backup
The management requirements for source code backup and restoration verification are following:
Verify all data quarterly as full verification.
Part of the data is sampled and verified every month as a usual verification.
The verification result is sent to the relevant responsible party.

3. Source code backup data recovery management
In the event of an accident such as server system shutdown, it is required to quickly restore the full backup data of the source code one day ago.

User Access Right - Control /Management

Overview
Management should develop a user access program to implement and administer physical and logical access controls to safeguard the institution’s information assets and technology. This program should include the following elements:
· Principle of least privilege, which recommends minimum user profile privileges for both physical and logical access based on job necessity.
· Alignment of employee job descriptions to the user access program.
· Requirements for business and application owners to define user profiles.
· Ongoing reviews by business line and application owners to verify appropriate access based on job roles with changes reported on a timely basis to security administration personnel.
· Timely notification from human resources to security administrators to adjust user access based on job changes, including terminations.
· Periodic independent reviews that ensure effective administration of user access, both physical and logical.
User rights management is a security feature controlling which resources (eg. Assets, applications, data, devices, files, networks, and systems) a user can access and what actions a user can perform on those resources. User rights management typically entails – creating a rights profile granting privileges to access specific resources and perform particular actions, creating groups and /or roles, assigning groups or roles to a particular rights profile, assigning individual user to one or more groups, adding, updating or deleting profiles, groups, roles or users.

Purpose
This policy set forth the guidelines pertaining to user rights management to access a particular information/piece of information, data, file, application suit, application, software program, hardware operating system programs, configuration, document, stored procedures, repository, critical information, classification of information, database records, business applications, business functions, profile functions available or operational / resides within the institution. This policy also advises the applicability of the user management for the third-party sites connected to the corporate network of the institution, DR Sites, Near DR locations, external / internal storage systems.

Scope
This policy is applicable to all the users / group of users / profiles / individuals accessing the information / business information users / transaction information users operational / active in the institution.

Policy
Protecting IT systems and applications is critical to maintain the integrity of the institution’s technology infrastructure and prevent un-authorized access to such resources.
Access to institution’s systems must be restricted to authorized users and processes only based on the principles of need to know and least privilege.
institution will provide the access privileges to institution’s technology infrastructure (Desktops, Laptops, Servers, Applications, Database, Networks, Mobile devices, IT Infrastructure Management Systems, Control Systems, Surveillance and vigilance systems, Identity and access management systems ) based on the following principles:
Need to Know – users or resources will be granted access to the systems that are necessary to fulfill their roles and responsibilities.
Least Privileges – users or resources will be provided minimum privileges necessary to fulfill their roles and responsibilities.
· Existing user accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges.
· All user accounts and their access rights, granted privileges for usage of the systems shall be documented and approved by the competent authority of the institution.
· Where possible, all default users will be disabled or changed. These accounts includes “Guest”, “Temp”, ”Default Admin” or any other commonly known user / user groups.
· Test accounts are only be created if they are justified by the relevant business area. Such test accounts will be disabled or suspended once the relevant test exercise is done for which the user or group of users are created.
· Vendor accounts in case created for a specific access purpose / troubleshooting purpose, the same will be deleted immediately after completion of the task.
· Demilitarized Zone wise access rights shall different and no user / its profile shall match the Test Zone rights / name of user with the Production Zone rights / name of the user.
· Shared user accounts are only to be used on an exception basis with proper approval from the competent authority in the institution.
· A nominative and individual privileged user account must be created for administrative accounts instead of generic administrator account names.
· Privileged users can only be requested by managers or supervisors and must be appropriately approved.
· Passwords shall be handled according to the password policy.
· All exceptions to this policy shall be formally documented and the same shall be approved by the competent authority.
Refer to CBI MONEY UAB (Appendix I)

Preventing Access to Un-authorized software

Overview
This policy and procedure set the guidelines for the proper usage of Software, interfaces, API Programs those of which are authorized to use for institution Operations. Any unauthorized use of such software/programs may lead to fraudulent activities, malpractices where the vigilance control of such software does not have seamless integration with other software programs in use for production institutions business functions.
Sensitive or mission-critical applications should incorporate the appropriate access controls that restrict which functions are available to users and other applications. These access controls allow authorized users and other applications to interface with related databases. Some security software programs integrate access control between the operating system and some applications. This software is useful when applications do not have access controls or when the institution uses security software instead of its native access controls. Management should understand the functionality and vulnerabilities of the application access control solutions and consider those issues in the risk management process.
Management should implement effective application access controls by doing the following:
• Implementinga robust authentication method consistent with the criticality and sensitivity of the application.
• Easing the administrative burden of managing application access rights by using group profiles. Managing access rights individually can lead to inconsistent or inappropriate access levels.
• Periodically reviewing and approving the application access assigned to users for appropriateness.
• Communicating and enforcing the responsibilities of programmers, security administrators, and application owners for maintaining effective application access control.
• Setting time-of-day or terminal limitations for some applications or for more sensitive functions within an application.
• Logging access and events, defining alerts for significant events, and developing processes to monitor and respond to anomalies and alerts.
Purpose
The purpose of the policy is to guide users for usage of secured and authorized software within the institution for institution operations. In order to establish the security practices, it is essential to use only authorized / recommended software / piece of software / interface by the OEM / Supplier of the host application software those are being used for institution Business. In case third-party software is being used to carry out such institution transaction, a written consent has to be obtained from the supplier for usage of the same.

Scope
This policy is applicable to all the institution Systems which are being used for production / non-production activities within the institution premises in respect to its use and the user in the institution. This policy applies but is not limited to
• All Servers, Desktop, Laptops Systems operational for production activities in the institution.
• All Network Devices, Firewalls, IDP Sensors, Other related security appliances, Routers, Switches, SANS/NAS/Storage Systems / Sub-Systems operational within the institution.

Policy
Un-authorized / non-recommended software or piece of software/application shall not be used on a production system to employees or contractors using institutionApplications. The IT Department / CIO is authorized to remove such unauthorized usage of application/software/piece of software with prior approval from the escalation authority of the IT Department.
• Un-authorized Application Software
Unauthorized software incorporates any piece of Software, Application, or interface to host system that is installed on any workstation / Server, Stored in a library without prior consent. knowledge of the Authority of Supplier(s). This includes, but not limited to, rouge software, Trojans, protocol analyzer, shareware, freeware, communication software, monitoring software, any other software that permits or promotes hacking, system intrusion or system performance degradation.
• Standard / Authorized Applications / Software
The standard application is one which is contractually agreed by the authority / OEM of application/software, recommended / consented by the supplier of the application/software for the purpose to carryout business operations.
• Non-Standard Application Software
The non-standard, un-authorized application and or software program is one which is not supplied or recommended by the OEM. Authorized application service provider and do not have any legal or contractual agreement or consent for usage from OEM.

Secure Configuration Management

Overview
Configuration management is the process of securely maintaining the institution’s technology assets by developing expected baselines for tracking, controlling, and managing systems settings. Security Configuration covers platform related configurations, device and environment hardening etc. To mitigate information security risk, management should control configurations of systems, applications, and other technology. An effective configuration management relies on its policies and procedures to ensure compliance with minimally acceptable system configuration requirements. When information systems change, management should update baselines; confirm security settings; and track, verify, and report configuration items. Configurations should be monitored for any unauthorized changes, and misconfigurations should be identified. Management can use automated solutions to help track, manage, and identify necessary corrections.
Cyber security is of the up most importance to risk management. t. It is a detailed recording and updating of information that describes hardware and software. The Configuration Management consists of - Inventory of authorized and un-authorized devices, Secure configuration of hardware and software, Controlled use of administrative privileges.

Purpose
This policy the guidelines with regard to ensuring the secure configuration management practices within the institution. The institution shall ensure these practices are in place and reduce the risk of cyber threat due to malicious change in configuration management of the devices operational for the business operations. Moreover, good configuration management practices reduce the downtime in case of compromised by the intruder.

Scope
The policy specifically mandates the Security Professionals,
· Network
· System Administrators
· CIO
· Head of IT Department
· Officials of IT Department of the institution
· IT Assets and devices those are responsible for critical and non-critical IT infrastructure of the institution.

Policy
Configuration Management Practices shall put in place for all the Hardware and Software components, all cyber space, critical and non-critical IT infrastructure operational at the institution. The practices shall have to be reviewed on periodical interval for its correctness.
The institution shall adopt standard secure configuration management practices and create repository for all the components described in this policy. The institution must also ensure the proper privileges are given in order insure to authorize officials only i.e., Specifically to Head of the IT Department / CIO and the mechanism put in place shall have complete control with event management log practices.
l Determining the purpose of the applications and systems and documenting minimum software and hardware requirements and services to be included.
l Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure.
l Installation and verification of necessary patches.
l Installing the most secure and up-to-date versions of applications.
l Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user (i.e., enforcing the principle of least privilege).
l Configuring security settings as needed enabling only allowed activity, and prohibiting non-approved activities.
l Enabling logging.
l Creating cryptographic hashes that are of a fixed-length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm. of key files.”
l Archiving the configuration and checksums is a simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message, which allows the receiver to verify the accuracy of the message. in secure storage before system deployment.
l Using secure replication procedures for additional, identically configured systems and making configuration changes on a case-by-case basis.
l Changing all default passwords.
l Testing the system to ensure a secure configuration.

institution can accommodate standard applications authorized by the OEM companies to ensure secure configuration management.

VirusProtection And End Point Security

Overview
This policy objectiveis to reduce the cyber security risks associated with all possible end-points i.e., user’s desktop / laptop systems/datacenter being used for the business operations. The un-secured / without anti-virus protection application, end-points may attract the scenario of information goes out of the organization and may be used for planning of cyber-attack on the institution by the intruders / cyber criminals.
Management must develop policies and Procedures to secure remote access by employees, whether using institution or personally owned devices, is provided in a safe and sound manner. Such policies and procedures should define how the institution provides remote access and the controls necessary to offer remote access securely. Management should employ the following measures:
· Disable remote communications if no business exists.
· Tightly control remote access through management approvals and subsequent audits.
· Implement robust controls over configurations at both ends of the remote connection to prevent potential malicious use.
· Log and monitor all remote access communications.
· Secure remote access devices.
· Restrict remote access during specific times.
· Limit the applications available for remote access.
· Use robust authentication methods for access and encryption to secure communications.
Purpose
The purpose of this policy to is to regulate access and protection of the institution’s business information/production applications when accessed through Desktop, Laptops, and Mobile Devices or similar. This policy seeks to limit security threats by:
· Ensuring staff are aware of the requirements and restrictions around end-point devices.
· Enabling protective measures and controls to manage end-point security and software compliance risks.

Scope
This policy is applicable to all end-points connected to the institution’s network for accessing information being used for business operations and purposes.

Policy
All the staff members are responsible to ensure:
· All precautions are taken to prevent unintended exposure, or modification or removal of private, copyright or confidential information as a result of leaving this information on the desktop screen or desk, or exposed in such a way that it can be viewed or accessed by unauthorized individual. This includes information stored on portable storage media or hard drive.
· Any private or confidential information stored on such a end-point has the appropriate security controls to restrict and prevent retrieval or intercept by an un-authorized third party.
· Endpoint software application/business application is updated regularly and the software vendors are providing security patches.
· Updated Anti-virus applications are installed at all the end-points and are set to update automatically from the central mechanism/OEM facility and restart to complete the installation process.
· Approved Critical security patches are updated on weekly basis.
· Only those approved and provided by the OEM vendors.
· Endpoint systems must be restarted post installation/update of security patches.
· OS that no longer has support shall not be connected to the corporate network of the institution business operations.
· Removing of end-point management software, anti-virus software without prior approval from the competent authority is treated as breach of this policy.
· Unnecessary administrative privileges given to the end-point must be restricted by applying appropriate mechanism.
· All endpoints capable of running anti-virus programs are mandatorily required to do so before connecting them to the corporate network of the institution.
· Exemption to this policy must be formally requested to the competent authority and such approval shall be obtained before connecting to the institution’s network.

To combat the risk of virus attacks, the CIO is to utilize the following controls:
· Access control programs on all computers;
· Prohibition of the use of software obtained outside an organization’s approved channels;
· Prohibition of downloading utilities or other programs from on-line services;
· Provision of a PC for testing and inspection by antiviral programs of new or unknown programs before they are introduced to the user community;
· Establishment of a written contingency and emergency notification plan for viral attacks.
· Annually prepare an IT Strategic Plan approved by the President.

Additional activities that can be performed to protect against viruses include the
following:
· Never put untrusted programs in hard disk root directories. Most viruses can affect only the directory from which they are executed; therefore, untrusted computer programs should be stored in isolated directories containing a minimum number of other sensitive programs or data files;
· In LAN environments, avoid placing untrusted computer programs in common file-server directories;
· Limit access to the file-server modem to authorized network administrators;
· When transporting files from one computer to another, use third party consultant to check executable files for infection before transferring from one computer to another.
· When sharing computer programs, share source code rather than object code,since source code can be more easily scanned for unusual contents.

Operating System and Patch Management

Overview
Operating System and patch management practices will ensure the un-interrupted services on the critical production system responsible for the business operations of the institution. Patch management is not an event; it is a process for identifying, acquiring, installing, and verifying patches for the operating system and other software programs resides on it. Patches corrects security and functionality bugs / problems in software and firmware of the server and its operating system. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities. Proper application of the relevant patches will eliminate the vulnerabilities and reduce the risk of exploitation.

Purpose
Management should establish procedures to stay up to date with available patches, to test them in a segregated environment, and to install them when appropriate. Patch management procedures should require documentation of any patch installations. Management should develop a process to ensure version control of operating and application software to ensure implementation of the latest releases. Management should also maintain change record of the versions in place and should regularly monitor the Internet and other resources for bulletins about product enhancements, security issues, patches or upgrades, or other problems with the current versions of the software.

Scope
All the critical and non-critical systems those are operational for production and non-production activities applicable in the institution.

Policy
All the systems both production and non-production systems shall be regularly scanned for vulnerabilities, identify the patches released by the OEM company of the Operating System operational on the Servers, desktop systems, laptops, SAN/NAS/Storage systems, Network Devices, Security Mechanism devices/appliances, Firewalls, Load balancers, Web Application Servers, Core Application Servers and all other software and hardware components deployed in the IT Infrastructure of the institution.
The security patch management regulates the identification and installation process of information system security patches, reduces the security risks caused by information system security vulnerabilities, and improves the attack-resistant ability of information system. The management procedure of security patch includes patch follow and notification, patch obtainment, patch testing, patch loading, patch verification and patch archiving, which must be implemented step by step.

The security officer of our company is responsible for security patch follow, patch classification and patch information notification. Security management of each department is responsible for providing security patch software obtained from formal channels, auditing and supervising security patch loading.
The security officer is responsible for informing the relevant system administrators of the patch information obtained, distributing the security patch software, and supervising and reporting the patch loading of each business system.
The business system administrators are responsible for coordinating the testing, loading, and rollback of security patches, coordinating the formulation of the patch loading process and rollback plan, supervising and verifying after the patch loading, and reporting the patch loading situation of their operating system to the security administrator.
The integration vendors of each operation system are responsible for the testing of security patches, the formulation of patch loading process and rollback plan, the implementation of patch loading and rollback. They are also responsible for the modification of software when the patch loading affects the normal operation of the business.
The product manufacturer is responsible for releasing security patch information to the company’s security administrator and providing security patch software timely.
Patch Follow and Notification
The security administrator of our company is responsible for following the security vulnerability information of each product and the security patch information released by the product manufacturer.
The security patch can be divided into three levels according to the seriousness of corresponding vulnerability: emergency patch, important patch and general patch. Emergency patch must be loaded within 15 days, important patch within one month, and general patch within two months.
The security administrator is responsible for notifying the security patch information and notifying relevant operation system administrators.
Patch Obtainment
The security administrator of our company is responsible for obtaining security patch from formal channels.
The security administrator is responsible for verifying the integrity of the security patch to ensure that the obtained security patch software has not been modified and used.

Patch Testing
The patch must be tested strictly before loading. It is forbidden to load the patch directly on the system without testing.
There are two ways of patch testing: laboratory testing and existing cyber testing. Laboratory testing must be carried out, the laboratory environment should be as consistent with the existing cyber environment as possible, and the risk carried by differences should be considered. The existing cyber testing can be carried out under the conditions such as the test environment or backup machine.
The content of patch testing includes patch installation testing, patch functionality testing, patch compatibility testing and patch rollback testing.
The patch installation testing mainly tests whether the patch installation process is correct and whether the system starts normally after the patch is installed.
The patch functional testing mainly tests whether the patch has fixed the security vulnerability.
The patch compatibility testing mainly tests whether the patch affects the application system after loading and whether the business can run normally.
The patch rollback testing mainly includes patch unload testing and system restore testing.
The work of patch testing is implemented by the system integration vendor and coordinated by the system administrator. The time of patch field testing and existing cyber testing must be limited. After the completion of the testing, a detailed testing report needs to be prepared to give a clear test conclusion.
The system administrator needs to submit the patch testing report to the security administrator, and submit it to the cyber and Education Technology Center for audit. The patch can be loaded after the audit.
In order to ensure the system integration vendor to cooperate with patch testing and installation in time, it is necessary to clarify the responsibility of the integration vendor for patch testing and installation by the contract. The restraint clauses should at least include: the establishment of laboratory testing environment, completion of patch testing within the specified time, patch loading, test and analysis in case of patch loading failure, and the system reconstruction and upgrade when conflict between patch and application occurs.

Patch Loading
From the release of security vulnerability to the loading of patches, the security administrator of our company needs to provide emergency measures and suggestions, such as strengthening access control, closing services temporarily, strengthening security audit and other emergency measures to strengthen cyber security. All relevant business systems take appropriate protective measures according to the suggestions, strengthen the monitoring of the system, and discover and report security event in time.
The security patch testing report, the security patch installation plan and implementation scheme, and the security patch rollback implementation scheme must be submitted to the cyber security administrator of our company before the patch loading. After being approved, the patch will be implemented according to the plan. The approval period is 2 working days.
Data backup must be done before the patch is installed to ensure that any operation can be rolled back. When the patch loading is not completed at the time of rollback, the rollback operation will be started to guarantee the normal operation of the business.
The patch loading must be arranged at the time when the business is relatively idle, and the operation process must be recorded in detail.
The patch loading of core servers would be better if we require the on-site support of the manufacturer’s engineers.
Patch Verification
The business system administrator must check the system information to ensure that the security patch has been loaded successfully after the patch is installed.
The system after patch loading must be strictly tested and verified according to the plan and verification scheme, so as to ensure that the performance of the system will not be affected and the normal operation of various businesses.
The system administrator must strengthen the monitoring of the system performance and events, and write the daily operation monitoring report within one week after the patch is loaded.
Patch Archiving
The system administrator must compile the patch installation report and patch verification testing report and submit them to the security administrator for archiving.
The security administrator is responsible for archiving the security patch software in case of system reinstallation.
Supervision and Inspection
The Cyber and Information Security Management Office of our company is responsible for assessing the implementation of patch management, including patch loading, accuracy of patch version information and quality of relevant documents.
Audit and inspection can be conducted through security vulnerability scanning and on-site manual random inspection, and the assessment can be conducted through self-inspection within the department and patrol inspection organized by the information security management department of our company.

Backup Recovery & Storage Management Policy

Overview
In order to protect data security to the greatest extent, protect the integrity of customer data, and prevent data from being harmed by the following aspects:
o Natural irresistible factors, such as hurricanes, earthquakes, etc.
o Datacenter environmental factors: power loss, air conditioning failure, high temperature, etc.
o Human factors: misoperations, cyber-attacks, etc.
CBI MONEY UAB has customized a complete backup strategy and recovery strategy
This management system is established to standardize backup files change management and recovery management, store historical data reasonably, and ensure data security management.
The backup and recovery management shall be in the charge of special personnel arranged by the business operation center. Backup management personnel is responsible for formulating backup and recovery strategies, organizing the implementation of backup and recovery operations, and being aware of the storage, replacement and registration of backup media. Daily backup operation should be completed by backup management personnel or computer room personnel on duty.
Scope
The scope of this regulation covers the change, backup and recovery management of all key systems of CBI MONEY UAB.

Policy
1. Backup frequency:
• All Types of business Data and financial system data must be backed up on a daily basis
• Data must be backed up before and after large-scale updating;
• Before and after major changes in the operating system and applications, the system and applications must be backed up.

1. Backup data retention time:
   All kinds of business data related to financial report shall be kept permanently, and other data shall be kept for no less than 10 years.

2. Backup storage and backup media management:
   • All Backup data shall be stored in a local and in a remote location
   • Backup media, whether stored locally or in remote places, must be kept in a safe place to ensure that only authorized personnel can access it;
   • On the backup media, there must be a unique identification indicating the content and date of the backup;
   • Establish a backup media directory list locally and in remote places to record the location, content and data retention period of the backup media.

3. Backup and recovery test:
   . Recovery should be tested according to the bussiness system criticality
   . The Backups must be tested every quarter to ensure the effectiveness of backup and the feasibility of backup recovery.
   . Backup and recovery tests should be conducted before major business changes occur

4. Destruction and decommissioning of backup media:
   •The destruction of backup media must be authorized by the relevant management personnel, and the destruction behavior shall be recorded by an assigned person;
   •If confidential data is stored in the backup media, the backup media must be processed before destruction to make the data in the backup media unreadable;