Information Security Banking

See
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/228296622
The Status and Threats of Information Security in

the Banking Sector of Bangladesh: Policies
Required
Article March 2010
CITATIONS
READS
896
2 authors:
Muhammad Saifuddin Khan
Suborna Barua
University of Dhaka
University of Dhaka
4 PUBLICATIONS 4 CITATIONS
8 PUBLICATIONS 13 CITATIONS
SEE PROFILE
SEE PROFILE
Available from: Suborna Barua

Retrieved on: 25 May 2016
Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Department of Management Information Systems, University of Dhaka
The Status and Threats of Information Security in the

Banking Sector of Bangladesh: Policies Required
Muhammad Saifuddin Khan*
Suborna Barua
Abstract
Information has been the greatest assets in this competitive age for any business. The
success of financial institutions largely depends on the reputation in the market as these
are fully service oriented institutions through protection of institutional and customer
information. Especially for banks, to remain competitive and accelerate growth,
adoption of new, up to date IT infrastructure is a must. Bangladesh, has witnessed a
rapid expansion in the adoption of IT infrastructure with innovative tech-oriented
financial products and services, and thus rapid growth in the banking industry with
increased competition. Therefore, banking industry in Bangladesh is now considered as
one of the fundamental industries. This paper tries to explore the state of information
security, challenges in ensuring this, and suggests some policy options. The study finds
that banking sector in Bangladesh are sufficiently vulnerable of different information
security threats as they are already using many IT based platforms in regular business.
Although almost every bank has its own ICT risk management guideline formulated by
the Bangladesh Bank, yet these are not implemented with care in most cases. The
sector perceives itself as vulnerable in terms of information insecurity due to varying
nature of problems, and thus seeks for primarily government role to initiate a wide
information security movement.
1. INTRODUCTION
Organizational performance can be enhanced in sustainable way investing and utilizing in
information resources. The same is true at individual level where corporations allow
employees receive appropriate information in time (Chaffey & Wood, 2004). Adequate,
accurate and appropriate, timely dissemination of information is possible only when
corporations have efficient and effective information systems. Information systems must be
aligned with organization goals and strategies to maintain, process and disseminate
information that can be used for decision making by different stakeholders of the
organization. Lack of a strong information system fundamentally increases the cost of
organizations while trying to manage information in an unstructured, ad hoc ways (Petrides,
*
Muhammad Saifuddin Khan, Lecturer, Department of Finance, University of Dhaka, Dhaka-1000, Bangladesh.
E-mail: msaifuddin_1@yahoo.com
Suborna Barua, Lecturer, School of Business, United International University, Dhaka-1209, Bangladesh.
E-mail: subornobarua@gmail.com
*** Both authors have equally contributed to the article.
Electronic copy available at: http://ssrn.com/abstract=1569207

2004). And financial institutions are not an exception. One of the biggest challenges for a
financial institution is the large bulk of customer and transaction information they preserve,
and increasing networks everyday that enables the institutions to create innovative and useful
services (Watanabe Y., and et al., 1998). Thus, a strong information system is far more
crucial for banking institutions than others (Petroni, 2004). Inevitably, a dynamic
management with its timely principles utilize the information technology and systems to
promote new products and manage new business (Nagaoka, Ukai, and Takemura, 2006). It is
extremely crucial because information security enables to gain competitive advantage, and
creates new business opportunities (Horton. R. T and et al.). As a reference, in the U.S.A. the
cost of credit card and different other chargeable cards fraud was around $985 million in
2000 burdened on both the customers and the companies (Kevin Coffee, 2003). Also internal
flawed information security system also is considered as a big threat. In USA, National
Institute of Standards and Technology (NIST) reported that faulty security systems cost the
US economy $59.5 billion annually in the form of breakdowns and repairs (NIST, 2002).
Bangladesh is in such a condition where banks must remove any gap available in ensuring the
information security. With a good number of local and foreign banks, Bangladesh a country
with 150 million population, is experiencing in a rapidly expanding banking sector. Banks are
widely introducing new products based on information technology to survive and remain
competitive in the intensly competitive market. Therefore, the wide range of IT based
financinal products available in Bangladesh certainly calls for efforts to understand the
dynamics of required security of the information assets.
The study is divided mainly in six sections. Section one discusses the background
information, section two illustrates the literature review, section three outlines the research
objectives and methodology, section four presents the current scenario of the information
technology based products and services along with the state of information security in
Bangladesh banking sector. The fifth section discusses in detail the in depth analysis of
survey and study findings, and finally section five identifies the challenges and solutions,
recommendations and conclusions to the paper.
2. LITERATURE REVIEW
Electronic copy available at: http://ssrn.com/abstract=1569207

The worldwide Information Security market was worth $6.7 billion in 2000. With a
Cumulative Annual Growth Rate (CAGR) of 25.5 percent, this market is projected to more
than triple to $21 billion by the end of 2005 (Network Magazine, 2003). Information security
is basically comprised of ensuring five key terms confidentiality, integrity, network
security, application security, and host security (Usher A., 2006). Information security
means administrative and technical actions to ensure that information can be accessed only
by authorized persons, information cannot be changed by unauthorized persons and
information systems are available to authorized persons (Finnish Act on the Protection of
Privacy in Electronic Communications, Shkisen viestinnn tietosuojalaki, 16.6.2004/516)
(Holappa J., et al., 2005).
In the UK, financial institutions perceives data breaches (any form of frauds/concealment) as
a major reputational risk that would create a direct financial loss through regulatory fines,
recovery costs and loss of business (Logica, 2008). In Australia, Consumers
Telecommunication Network 2006 report stated that a vast majority of consumers have
experienced many e-security threats despite using a range of security products. Banks
generally uses digital security to maintain competitive advantage, build brand image, and
meet statutory regulations (Rai, 2008).
An Atlanta ARMA meeting in May 20, 2008 shows the trends and observations on threats to
information security in 7 broad categories that include: a) strong and enhanced hacking b)
existing unfixed vulnerabilities, c) increasing number of strong malwares d) web browser
exploitation by users, e) uncontrolled liberal use of wireless internet at the niche level, f)
deliberate remote access connectivity via virtual private networks (VPN), and finally, and g)
increased phishing leveraging readily available personal data and common file attachments.
The danger of niche level massive wireless usage and remote access is that a single insider
can cause extensive financial damage or irreparable damage to an organizations data,
systems, business operations, or reputation (Keeney M, et al., 2005).
Usmani K. (2008) identifies the threats to information security in four broad categories:
malware, attack through e-mail, spam associated threats, and phishing. Malware threats
reduce system, network and workstation performance thereby employee performance. These

threats include stolen user ID and passwords, unauthorized access to confidential

information, Loss of intellectual property, remote access of companys PC, and theft of
customer data. Threats to email include loss of confidentiality, lack of data origin
authentication, lack of non-repudiation, and lack of notification of receipt. The other category
spam generated threats include dangerous viruses, worms, trojans, and spywar. The last
category of security threat is phishing causing hacking of credit card information, system
information, and account information. Apart from hacking this also includes use of lucrative
email messages and web pages that provoke users into submitting personal, financial or
password data.
These results also reconfirmed by a statistical study of internet security threats by James G.
D. (2007) stating the rate of infections in 2006 in USA spam (75% with productivity loss of
$21.6b per year), trojan viruses (31%), and spyware/malware (89%), phishing and hackers. In
November 2006, the attempt rate of hacking and stealing information in UK banking brands
was 11% while 75% of false banking sites targeted clients of US banks. (James G. D., 2007).
Globally, the UK hosted 2% and US hosted 63% of phishing sites globally (RSA Stats,
2006).
Researchers and practitioners have examined the factors behind managing the information
security critically. For different threats, they have shown different measures how to deal with
the threats to information security. To protect the increasing threats, in the life, savings and
investment, and pension sector, all the companies reported that their security budgets had
increased significantly over the last one-to-three years, while two companies say that they
will double security spending in 2008-09 (Logica, 2008). The Logica (2008) report also
stated In the UK, the real cost of a data breach might be nearer the American level of 3.3
million ($6.3 million) per incident including the average cost of a data breach was more than
1.4 million in 28 data breaches across eight industry sectors of which financial services
industry was 17 per cent higher. According to Usmani K. (2008) to fight malware; good user
education, keeping the operating system up to date by installing operating system security
fixes and program patches, using firewall protection, using anti-spyware softwares, using
monitor logs for unusual traffic. For email security securing the server to client connections
and the end-to-end email delivery is crucial, beware of emails from unknown parties
(unsolicited emails), not to open suspicious attachments and spams, and avoid registering in
4

external mailing list. Usmani K. (2008) also suggested a must use of updated antivirus, anti
Spyware, and spam filters to avid phishing. To ensure highest level of information security,
the State Bank of India manages their information security based on six pillars security
governance, consulting, compliance, incident control, monitoring, and security awareness for
its stakeholders (Kishore. P., 2008).
It is important to note that the future is obviously will be harder as the information
technology advances than what it is today, and will need very concentrated effort.
Information security threats and attacks are becoming exponentially sophisticated,
communicable, and threatening (The Business Edition, 2006). Libicki (2008) shows some
ways how the future problems may be. According to Libicki (2008), use of learning system
or neural nets may result in massive destruction if the base on which it works is wrong, and
badly designed agents, servers cycling forever for an answer, mutually destructive server-toserver communication, or and malevolent agents looking for certain outgoing mail, fast
growing hi tech hacking. Moreover vulnerable wireless security protocols, increasing attacks
through cross-site scripting (XSS), cross-site request forgery (XSRF), generating malicious
softwares that can bypass most (if not all) of the current signature-based antivirus products by
hackers using simple commands, attacks through websurfing in corporations, and a
possibility of fall in training budget (Strand J., 2009).
The Georgia Tech Information Security Centre (GTISC), on October 2, 2007, predicted for
2008 a number of cyber threats that may be dangerous for information security such as clientside attacks, and targeted messaging attacks. On the other hand another IBM's X Force report
for security and trend statistics has evaluated the various classes of threats, including an in
depth analysis of 410,000 new malware samples that shows that gaining unauthorised access
(50%) followed by denial of service (13.8%), data manipulation (11.2%), obtaining
information (9.3%), bypassing security (6.5%), gaining privileges (5.7%) and file
manipulations (1.3%) are going to be the biggest information security challenges in the near
future (Anand V., 2008). Other than the popularly known threats such as hijacking websites
poisoning Domain Name System (DNS), difficulties in tracing parties storing and transferring
data in complex and huge corporate network, extensive and liberal use of Social Networking
Sites (SNS) may become a dangerous area for data privacy and security as the industry
experts in UK commented (Heath N., 2009).
5

Usher A. (2006) identified traditional threats such as hacker activity, worms & viruses, spam,
spyware, and phishing where network security strategies do nothing to protect against devices
connected inside the enterprise network (widespread use of wireless technologies and
secondary storage). For protection from the threats Usher A. (2006) suggested five points assessing technology environment regularly, adapting updated security policy, having a
rigorous and effective user awareness plan, putting policies and procedures into action
effectively, and finally assess effectiveness and revising policies if needed. Threats to
information security are increasing day by day. These dynamics are changing and taking
extremely difficult-to-prevent shape. Therefore, this generation information security wave is
about Security Audit and Certification. This covers not just technology, but also people and
processes. Enterprises will approach security from the attacker's end and safeguard against
new risks like social engineering and dumpster diving.
3. RESEARCH OBJECTIVES AND METHODOLOGY
Financial institutions in the globe have many different forms for example central banks,
commercial banks, securities brokers, and life insurance companies. Despite the increased
and expanded networking, banks have to analyze transaction data for any given customer so
that it can offer customers better personalized service (Watanabe Y., et al., 1998). Evidently,
a study on nationalized banks of the Florida state empirically proves the positive role and
contribution of information systems to a banks efficiency (Gupta U. G. and Collins W.,
1997). The Federal Financial Institution Examination Centre and Federal Deposit Insurance
Corporation have laid out different policies, regulations and guidelines to ensure secured
information system in Banks. The rapid expansion and global reach of financial institutions,
especially who offer products and services to clients worldwide online are in greater danger.
Evidently, the National Criminal Intelligence Service has shown an exponential growth of
computer crime in the United Kingdom (NCIS, 1999). Thus an integrated system for finance,
management, marketing and other functional areas have to be built in financial institutions.
Realizing the need for study in this area, the objectives of the proposed study are framed in
the following terms in the context of Bangladesh:

(i) To identify the different dynamics, quality and areas of use of information
techonology in the banks.
(ii) To Identify and investigate problems relating to information security and threat in the
banking sector.
(iii)To identify critical success factors for effective information security with particular
reference to the banking sector.
(iv) To discuss the future of information security and threat in the banking sector, with
the growing consciousness of information security.
METHODOLOGY
The study uses both primary and secondary data. Secondary data has been obtained from
different online and physical sources. The major strength of the study is the primary data it
has used. A four page questionnaire with 40 questions has been used to accumulate primary
data. The questionnaire was sent to a total of 15 banks but 11 of them responded. The study is
designed and enriched in detail analysis of all the data and information acquired from the
filled in questionnaire of the 11 banks. This list of 11 banks is shown in Appendix-4 of this
study. The study is divided mainly in three sections. Section one discusses the preliminary
issues, literature review and background information, section two details the state of
information security and the in depth analysis of survey findings, and finally section three
identifies the challenges and solution approaches in ensuring information security in
Bangladesh followed by a concluding paragraph.
4. IT BASED PRODUCTS AND SERVICES IN BANGLADESH BANKING SECTOR
Although many banks in Bangladesh are providing electronic services to their customers the
level of involvement of electronic methods is yet to be in full fledge in delivering and
managing the business. Because they offer some of the functionalities of the complete
electronic banking like intra-bank transactions, Letter of Credit (LC) and foreign exchange
etc. In case of inter-bank transactions, central bank authority handles the procedure. Banks as
well as employees are benefited implementing information technology in Bank because this
system has some advantages over traditional system. Advantages are as follows: faster
information handling and processing, to accomplish audit, government officials need to go to
every bank. After IT implementation they do not need to go to banks rather they can collect
7

the same information through network and audit report can be generated within few minutes.
In traditional system it is time dependent to transfer money from city to remote area and also
a matter of some investment. During the transfer time the money is idle so its a great loss for
the bank as well as customers. Electronic system can be used to transfer money within a few
seconds (Intra-bank).
INFORMATION SECURITY IN BANGLADESH

Bangladesh has realized that information security is an important business accelerator. For
example, the policy makers feel it as an urgent need to develop a cyber crime legislation that
will ensure cyber security or information security through internet. Policy makers of the
country are currently in the process of including privacy policies, trust marks and other selfregulatory measures for the development of products and provision of services and the
implementation of the necessary measures for establishing consumer confidence more
importantly in the banking sector. Survey shows that only 11% of banks have inter-branch
connectivity through CT network (WAN). Some 70% of solution providers for WAN are of
local origin. At the head office level some 95% of banks use banking software. Currently
around 24 types of banking software are available in banks (Raihan, 2001).
INFORMATION INSECURITIES AND THREATS IN BANGLADESHI BANKS

As almost all the Banking service providers thinks that certain information is at risk, 66%
Banks have access control over customer information system and 95% have a physical
security program which defines and restricts access to information assets as well as protects
against destruction, loss or damage of customer information. As a result 95% Banks strategic
planning process incorporate information security, 80% of those have employee security
awareness training program and possess policies/procedures for the proper disposal of
customer and consumer information. Again survey shows that 75% Banks in this industry are
serving as a merchant issuer for credit card activity, all of those hold written
policies/procedures that address approval/termination, underwriting, fraud and credit
monitoring, password tracking, security of credit card information. They also possess wire
transfer policies/procedures which address responsibilities and authorizations, separation of
duties, funds availability/credit limits, information security, business continuity plans,
insurance protections and vendor management.
8

Because of highly competitive market environment training up of employees within the

organizations is inevitable for long run sustainability and profitability now days. For keeping
the employees up-to-date banking services providers arranges various training programs. In
case of providing training 66% of them hire trainers from out side. Both On the Job Training
(learing by doing as an employee while in a job) and Off the Job Training (training from
formal training instiutites) are commonly in practice. A few (20%) have their own trainers. In
case of providing training, Bangladesh Institute of Bank Management (BIBM) & Bangladesh
University of Engineering and Technology (BUET) has been playing the pioneer role.
Though providing training to the employees depend upon need for technology
implementation raised by the situation, the Bank Ultimus, PC banking training courses, Basic
trainings on Stayler, Trainings on Money-Gram System, and Trainings on Tair-Drill etc. are
common among organizations.
Trojan virus, Spy ware/malware, Spam, Hacking and stealing information, Dishonest insider,
Phishing, Worms, Web browser exploitation by users, Deliberate remote access connectivity,
stolen user ID and Password, Modification of data etc. these are now the most common name
in the world of online threat. In Bangladesh more or less they had already introduced their
enough vulnerability to Banking Industry. Some 40% of the Banking service providers are
aware enough about Trojan virus and Spam because they have to face it with a very high
frequency along with a low intensity of information losses by them. But the amount of
recovery is very high. Another 40% are frequently facing spy ware/malware but in such case
20% of these victims face it with high frequency causing a very low intensity of information
loss and rest other victims faces it with a rare frequency. Other online threats are rarely faced
with a very low level of information loosing intensity.
IT PLATFORMS USED
The rapid development and inclusion of information technology has both aided the
development of the banking industry in Bangladesh and also has created riskier environment
for information pass away in Bangladesh. The rapid advancement in IT tools have given the
banking system in Bangladesh an accelerated pace in service expansion and product
diversification with higher quality. As the sector is yet to get the maximum utilization of the
state of the art technology, banks are rapidly applying available and suitable tools to increase
9

their power in the highly competitive environment. The survey conducted for this study
explores the different dynamics of the practicing technology and thereby preparedness to
ensure information security in the banking sector of Bangladesh. The major IT platforms used
by around 90% banks in Bangladesh are detailed below:
Automatic Teller Machine (ATM): All surveyed banks have own or shared ATM networks
where ATM services are widely available for more than 70 percent of the banks operating in
Bangladesh. Dutch Bangla Bank Limited has leverage of the largest ATM networks of more
than 200 ATM booths throughout the countrys almost every part. As on October 2007,
Bangladesh has 438 ATMs (Daily Star, 2008), 10,526 POS, 7.7 lakh debit and 30,000 credit
cards issued by all banks in the country. The volume of transaction using ATMs has
increased substantially during the last few years due to the availability of booths and the
benefit of non-cash money.
Online Banking: Online banking allows bank transactions to be conducted within closed or
open networks. Online banking is considered to be a segment of e-business to the extent that
banks are involved in the conduct of business transactions via electronic media especially
through internet. Currently full fledged online banking service is offered by top banks in
Bangladesh including Standard Chartered Bank, Eastern Bank, Dutch Bangla Bank Limited,
Southeast Bank Limited. Services in online banking in Bangladesh include online balance
checking, instruction delivery, account monitoring etc. While conducting study on the online
banking, we observed that only eight private commercial banks started truly online banking
but no nationalized banks yet to introduce online banking in a sense. All the Foreign
commercial banks are operating their banking through online procedures. It has been noticed
that almost fifty percent of the private commercial banks started computerized banking which
actually do not serve the purpose of online banking.
Virtual Private Network: Almost 50% of the surveyed banks have virtual private network
in the form of wireless intranet intra organization networking. Using the intranet employees
inside the banks exchange data and information with each other. In major cases banks have
no restriction or control on employees in sharing information inside the organization though
intranet.
10

Wide Area Network or Local Area Network (WAN or LAN): Some 95% banks reportedly
have either WAN or LAN or both. In most cases, banks in Bangladesh have LAN which is
created inside the organization that is accessible from different branches in different locations
within the city. The nature is similar to MAN or Metropolitan Area Network.
Network Server: A network server is a mass storage or a designated computer used to the
process of storing, delivering, managing data for the users over a local area network or the
internet. Such as Web servers, proxy servers, and FTP servers. In over all sequence a network
server is designed to manage network traffic. Almost every banking institution of Bangladesh
has its own network server, where as every authorized employees has access in that network
server. They have specific server space, names and IDs. They generally use this space for
storing data, financial analysis and backing up account information.
Wireless networking: Networking without wire is very popular in Bangladesh. Wireless

network is one of the common mean of Remote Information Transmission (RIT) through
telecommunications network, electromagnetic wave and mostly by radio wave. In previous
period the top most telecommunication companies only have the authority to use and provide
wireless internet opportunities to the customers. But now institutions like banks or
Multinational Companies (MNCs) have the authority to serve these opportunities to the
customers and use in internal operations. Bluetooth devices, WLAN, WiFi, WiMAX and
Fixed Wireless Data are some of the best used means of wireless network.
Modem or modem pool: A modem is a kind of device which transfers digital data through
analog wave. In recent age people almost use motherboard with inboard modem under builtin technology. Corporate companies like banking institutions have a great use of modem
under a host server. They are pooling their modem through 56 to 128 kbps speed. In order to
ensure rapid expansion of services and accelerated increase in internet penetration much and
more people are getting opportunities to use modem and modem pools.
Portable devices (PDAs, Laptops, Cell phone etc.) : Potable devices are the powerful
devices of data transformation which is easy to carry out .The banking institutions have a
standard security protocols in using the portable devices in the office. The use of PDAs,
11

laptops and cell phone are seen greatly in these institutions. Almost every middle and top
class executives are using portable devices frequently with the permission of their institution.
5. CRITICAL FINDINGS AND ANALYSIS
The information security survey on Bangladesh banking sector and detail examination on this
sectors information security concerns have yielded the following critical findings.
5.1 Level of Use and Access of IT Platforms

Apart from the traditional manual banking products, a broad spectrum of electronic banking
services is available in Bangladesh with different degree of penetration. Credit card service is
provided by 23.1 percent of banks (PCBs and FCBs). As the survey result shows, the credit
card service is from VISA, MasterCard and VANIK are more popular and expanding.
Table-1: Available IT Based Products of Banks
Product Name
Credit card service
Tele-banking
Electronic fund transfer
Online corporate banking
Electronic debit card
Merchant account services and internet banking
% of Banks offering
23.1%
19.2%
15.4%
7.7%
3.8%
7.6%
Source: Information Security Survey on Bangladeshi Banks, 2009
Tele-banking is second most penetrated e-banking service in Bangladesh. ATM is gradually

becoming popular in major cities. Some foreign banks provide electronic fund transfer
services. A group of local banks have introduced shared ATM network which has increased
availability of this type of electronic banking service. At present 7 (seven) private and foreign
banks namely Southeast Bank Ltd, Dhaka Bank Ltd, Al-Baraka Bank (Bangladesh) Ltd.,
National Bank Ltd., Islami Bank Bangladesh Ltd., and National Credit and Commerce Bank
Limited are providing full fledged internet and online banking facilities. The Network will
gradually be extended through out the country. Credit card is also a very popular service in
Bangladesh; during last five years the growth of credit card market is almost 100 percent.
Table-2 illustrates the percentages of the above features on the basis of their level of access
within the regular working environment of Banks in Bangladesh. According to the use of
these features by both internal and external parties, internal parties enjoy 100% access to
12

these facilities where external parties possess almost 80% access. Table-2 illustrates the level
of access of both of these parties to these facilities.
Table-2: Level of Access and Use of these features by both of the parties (%)
Features (Level of Use)

ATM
Online banking
Network server
Phone banking
Wireless network: LAN
WAN
Modem of modem pools
Security devices
Level of use by External

Parties out of 80% access
Very
High
Low
High
40
33
66
66
37
33
66
70
30
Level of use by Internal

Parties out of 100% access
Very
High
Low
High
33
33
66
75
20
80
80
80
60
-
40
-
Information of the bank is kept much secured by providing a limited access to the employee
according to their positions and also according to the requirement of business policies.
Without proper authorization employees are not allowed to use any kind of flash drives or
any kind of mass storage devices. Generally employees are allowed to check mails only for
visualization of their instructions or understanding the situation. They can not edit or use it
for any other means. Even employees have strict restrictions on using their provided PCs.
They are not expected to move any where without shutting it down, but accidentally if some
one, by the built-in-system the PC will shutdown itself within 3 minutes. And the person
responsible will have to go through a penalization procedure. In many cases, the unauthorized
100% access to all the platforms by dishonest insiders also may cause a great loss, and thus
expose the organizations to greater degree of risk. Therefore, from that perspective the 80%
access level by externals also seems to be pretty high. These all are because there are a
clearly stated policies, procedures and guidelines for securing, maintaining and monitoring
the system in ones own IT environment. Table-3 in the policy section illustrates the
percentages of Banks written policies, procedures and guidelines for securing, maintaining
and monitoring the following system or platform under their own Information Security
Program.
13

5.2 Quality of Technology Used in Information Management
This is obvious that the quality of the technology used to manage and protect the information
is a very important aspect. This is because an underdeveloped or old aged technology may
case severe cost financially or any other way when banks face large physical damage of
hardwares (such as storage devices, machine breakdown or inability to create data and
information backup). Poor quality technology also creates vulnerability as it may not prevent
unauthorised access and sharing of information because of its incompatibility with updated
security protection tools. Interesting findings were there regarding the quality of technologies
used by the banks while working with different identified platforms. Table-3 illustrates the
findings form the survey.
Table-3: Quality of Technology Used

Available Features
ATM
Online banking
Virtual Private Network
Network server
Wireless network: LAN
WAN
Modem or modem pools
Security devices
Other remote access connectivity
Portable devices
(%) Very High
(%) High
(%)Low
20
40
40
66
95
5
85
40
60
66
40
60
40
20
95
15
50
30
34
40
40
20
14
5
10
10
-
The quality of technologies is alarming in case of ATMs which are widely and popularly
used by daily customers. Even though this has been on of the very important tool to remain
competitive in customer service delivery, only 20% of the banks have reported that they use
very recent, high end technology in providing ATM services. Some 40% were reported their
technology used in ATM services as low. This is quite an important indication that ATMs as
serves as information storage, processing, and transferring, any damage to the low end or low
quality technology may cause in severe damage in goodwill and thus significant loss in
business. The highest quality is used in Wide Area Networking and Local Area Networking
that allows the employees to access, share and transfer data and information through wireless
and wired technology respective. This finding substantially validates the faster deliver techoriented products and services by the Bangladeshi banks. Another major observation is the
14

use of high end technology in monitoring and controlling data transfer that protects the
information to be secured. Some 90% of the banks use at least high end secured technology
posing the rest 10% banks into risk of unauthorized data and information transfer beyond the
poor security technology.
5.3 Risk Analysis

Survey tried to find out the perceived degree of risk form the responding banks. Some 34%
banks perceive the current situation of information security is not enough to prevent any
virtual or physical damage of information management system. Therefore, around 60% of the
surveyed banks believe they are in high or very high degree of risk of information loss at any
moment. Reasons to this perception despite having ICT policy in every bank were interesting.
Table-5: Degree of Information Security Risk Perceived by Banks
Degree of Perceived Risk
Very High
High
Moderate
Low
Very Low
% of All Banks
34%
26%
17%
19%
4%
Table-6: Why Banks Perceive Riskier Information Environment

Reasons for Perceived Risk
Lack of adequate knowledge
Lack of Training
Do not have quick response ability
Not Updated with the high end solutions regularly (time lag exists)
% of All Banks
47%
76%
49%
24%
The major causes found why the banks feel themselves posed to greater degree of risk are
shown in Table-6. Essentially proved that the employees in banks are almost in all cases do
not have proper training on the importance and process of securing information. Lack of
training initiatives, resource persons, under prioritizing the training need are causing banks
not to train their manpower. This also leads to lack of adequate knowledge on information
security management that has been responded by 47% banks as a cause of their perceived
risk. The top management or the directors are also in many cases observed not to be aware of
the issue. The inadequate resource availability and prepared is essentially making banks
stagnant and thus not prepared to respond instantly to any sudden damage takes place. Some
15

49% banks think this as a major reason for their perceived risk. And the other major reason is
the irregular and infrequent update to the up to date technology, software, and information
security threats (24%). This is also due to probably the under-prioritizing the issue of need for
better information technology.
5.4 Policies Used By Banks in Bangladesh

The banking industry has changed in the way they provide service to their customers and
process information in recent years. Information Technology has brought about this
momentous transformation. IT Management must ensure that the IT functions are efficiently
and effectively managed. They should be aware of the capabilities of IT and be able to
appreciate and recognize opportunities and the risk of possible abuses. They have to ensure
maintenance of appropriate systems documentations, particularly for systems, which support
financial reporting. They have to participate in IT planning to ensure that resources are
allocated consistent with business objectives. They have to ensure that sufficient properly
qualified technical staff is employed so that continuance of the IT operation area is unlikely
to be seriously at risk at all times. IT Management deals with IT policy documentation,
Internal IT Audit, Training and Insurance. There is a specific guideline detailed by the
Bangladesh Bank which every bank follows. Therefore the banking industry has developed
own information management policies based on the given guideline.
Table-4: % of Banks Having Policies Regarding Information Sharing Platforms

Systems or platforms
covered by the policy
ATM
Network server
Online banking
Virtual private network
Payment system (including ware transfer and ACH)
Portable devices such as PDAs, laptops, cell phones etc
Remote deposit capture
Wireless network
Modems or modem pools
Security devices such as firewall(s) and proxy devices
No. of Banks
possess such policies
80%
73%
71%
77%
63%
55%
41%
47%
57%
44%
Statistics in Table-4 shows quite a good status. Banks having different IT platforms for
information processing, sharing, and transferring have separate written policy documents.
16

Some 70% to 80% of the surveyed banks have documents that guide the use of the ATM,
online banking facility, network server, and virtual private networks. This is a very good sign
because apart form the ATM, all other platforms are very important channels of information
access, sharing, and transferring. Therefore, having documents to shape the use of these
platforms certainly prevents unauthorized access at least to a minimum degree.
But
alarmingly, more than 50% of the banks are using wireless network, firewall and proxy
security tools, and remote access without any written policy guideline or code of use that
poses these banks to extreme degree of risk. It is because all of these platforms in this current
age are considered as the most likely channel through which people can try to have
unauthorized information access and sharing.
Bangladesh Bank on October, 2005 outlined a common ICT risk management guideline titled
Guideline on Information & Communication Technology for Scheduled Banks and
Financial Institutions to ensure security of information and information systems that covers
all electronically generated, received, stored, printed, scanned, and typed information, and
has been made mandatory for all banks and non-banking financial institutions. The guideline
is formulated presenting the minimum preparation of the institutions regarding all activities
and operations required to ensure data security including facility design, physical security,
network security, disaster recovery and business continuity planning, use of hardware and
software, data disposal, and protection of copyrights and other intellectual property rights.
The guideline clearly outlines the policies for IT Operation Management, Physical Security
(Tier-1, Tier-2, Tier-3), Information Security Standard and Service Provider Management.
5.5 Government Regulations on Information Security
Every bank having IT systems must have an IT POLICY which must fully comply with this
IT Guideline and be approved by the Board of the bank. For foreign banks the document
must also be in conformity with their global policy document. This document will provide the
policy for Information & Communication Technology and ensures its secured use for the
banks. It establishes general requirements and responsibilities for protecting ICT systems.
The policy covers such common technologies such as computers & peripherals, data and
network, web system, and other specialized IT resources. The banks delivery of services
17

depends on availability, reliability and integrity of its information technology system.

Therefore each bank must adopt appropriate methods to protect its technology system. The
policy will require regular updates to cope with the evolving changes in the IT environment
both within the bank and overall industry. The senior management of the bank must express a
commitment to IT security by continuously upgrading awareness and ensuring training of the
banks staff.
The Bangladeshi government is working to make a law to check computer hacking in the
country with punishment of 10 years prison term or fine of 1 million taka (14, 300 U.S.
dollars) or both to the hackers. The law named "Ministry of Information and Communication
Technology Act 2006" will have provisions of establishing cyber- tribunal. Under the law,
those who give obscene information or do things which are defamatory to others, disclose
secrets through computer will also be punished. The law will have provisions against
committing crime using computers.
5.6 Challenges in Ensuring Information Security
The problem is that Nationalized Commercial Banks (NCBs) are the unique market player
with more than 50 percent of market share, so ICT penetration is more crucial for this
category of banks. Some midrange and mainframe computer systems are available in the
banking sector. Some 95 percent of the surveyed banks in have Management Information
Systems. But only 38 percent MIS are integrated to the Transaction Processing System
(TPS). Moreover, the absence of adequate physical resources (e.g. computer hardware and
software) and weakness in course contents in the training institution will adversely affect the
quality of output from the institutions (Chowdhury, 2001).
Table-7: Challenges to Ensure Better Information Security
Challenges
Lack of adequate knowledge
Lack of Proper Training
Do not have quick response ability
Lack of Active Government Responses to the need
Not Updated with the high end solutions regularly (time lag exists)
Human Resource Constraint
% of All Banks
67%
56%
55%
44%
17%
7%
18

The survey findings on major challenges identified by the institutions are detailed below:
Lack of adequate knowledge: As explained in the earlier sections the top management and
the employees at different levels in the banks are not really aware on the danger and
importance of addressing the issue. Therefore, in many banks, as opined by the bank
respondents, the issue of information security is not taken into consideration as prioritized.
Therefore, this creates opportunity for the dishonest people or hackers pass out information at
any moment due to the lack of awareness. Some 67% of the banks have agreed on this point.
Lack of Training: Employees even in many cases the top management of the banks are not
equipped with adequate and up to date training on making secured environment for
information management. Some 56% banks feel that they have no or insufficient training for
all employees. Therefore, the strategic importance of information security is once again
undermined by the employees at all level in the banks and thus deliberately or unknowingly
creates opportunities for information loss through information loss or physical damage. Lack
of specialized training centers is also a pivotal cause behind this.
No Adequate Preparedness: Adequate preparedness at the time of accident or damage

enables banks to recover the information, business or financial losses. But unfortunately some
55% of the banks believe they are not prepared enough and thus ensuring a better secured
environment to manage and contain information has become very risky.
Under-prioritization by the Government: Bangladesh as a developing country is

encountered with hundreds of problems she is facing every day. Information security has
been treated not as a priority issue yet that may create a strong and secured environment for
information management very immediately although some recent developments have been
observed. Some 44% banks believe this as a major challenge as the development of such an
environment must be ruled and initiated through the national and international experts by the
government
Not Updating Security System Regularly: Some 17% banks believe that banking sector in
Bangladesh is yet to have pace in regular updating the software and up to date security tools
such as antivirus, firewall, proxy settings to prevent Malware, spyware, Trojans etc. There are
19

many banks which do not spend much time and pay less attention in updating their hardware
and software. This is also another proof of under-prioritizing the issue.
Human Resource Constraint: Some 7% banks believe that there are not much expert
human resources in the country who can supervise the whole industry in creating an enabling
environment in the banks to secure information. Lack of national expertise or consultation is
creating drawbacks in the process of developing a knowledge base and the infrastructure on
information security.
6. CONCLUSION AND RECOMMENDATION
Table 8 below lists the major suggestions accumulated from the surveyed banks on the
issue of how to create a better environment to protect information.
Table -8: Suggestions to Ensure Better Information Security

Challenges to Ensure Better Information Security
Active Government Initiative Putting Priority
Making Training Programs Mandatory
Central Monitoring by the Central Bank
Establishing Specialized Training Centers
Creating Awareness on Information Security
% of All Banks
83%
58%
54%
46%
41%
Active Role of Government: In developing the information security infrastructure,

government should play the leading role as much as 83% of the respondents believe.
Government should facilitate and impose if necessary, conditions to develop this
infrastructure through the Ministry of Finance, and Bangladesh Bank. Therefore strategic
priority should be given to this issue by the government while developing development
programs.
Mandatory In-house or Outsourced Training Programs: Some 58% banks opined that
Bangladesh Bank the central bank of Bangladesh must make the in-house or outsourcing of
training for all employees of every bank. This policy direction would make the banks more
proactive in creating conscious human resource pool that would contribute in preventing
unauthorized access to information.
20

Central Monitoring by the Bangladesh Bank: Bangladesh Bank as the facilitator and
monitor of the whole banking industry should have separate monitoring and supervision
division dedicated to monitor the information flow and preparedness of banks in mitigating
information insecurity. Some 54% respondents believe this would help the whole industry to
be more efficient in information management. This would require the Bangladesh Bank
develop its own strong and up to date infrastructure. The Bangladesh Bank also should
oversee that ICT policy proposed by itself is implemented effectively.
Establishing Specialized Training Centres: As information management and ensuring

information security requires some degree of technical and ethical education, it is necessary
to establish specialized training houses on this issue (46%). Moreover, banks also must have
a separate training division or regular training programs to train their fresh employees. Banks
which already have training centres or divisions may include the information security issues
in the course curriculum.
Creating Awareness on Information Security: A very important strategy is creating

awareness (suggested by 41% of the surveyed banks). This is especially important since
protection of information requires a highly ethical environment. To create awareness,
awareness programs can be introduced regularly or occasionally nationwide by banks
individually or by the Bangladesh Association of Bankers or the Government itself.
Apart form the survey findings; the study identifies some very important points that might
serve as valuable starting points for ensuring information security.
Integrated Efforts of Associations: Alike NASSCOM in India, Bangladesh has two

associations that deal and facilitate the information technology sector of Bangladesh
Bangladesh Association of Software and Information Services (BASIS) and Bangladesh
Computer Society (BCS). This is evident that NASSCOM has been excellently facilitating
the skill development offering a number of programs and also helping the government to
reduce the information security vulnerability. Specifically for the banking industry, BASIS
and BCS should work together with the government of Bangladesh to update regularly the
ICT policy, provide regular training to the old and fresh employees within the organization,
21

establish large scale and nationwide central training and monitoring centres, facilitate banks
with adequate expertise etc.
Making Mandatory Compliance with International Standards: The Bangladesh Bank

may require every bank in the industry to comply with the international information security
laws and standards such as BS 7799 or ISO 17799. Not only ensuring the compliance
Bangladesh Bank must have to regularly oversee whether any update in the international
standards are complied immediately in effect.
Making Use of Licensed Products Mandatory: As a developing country, Bangladesh many

corporations are still using unauthorised, pirated software products that are not licensed that
create a great risk of losing information or data (at least if a software becomes inoperative or
corrupt suddenly). The piracy prevention programs must have seriously conducted to identify
such practices.
Survey of Information Security Status: Regulatory authorities in Bangladesh should be

conducting surveys on practices and challenges on the banking industry to understand the
quality of the information security policies. Bangladesh Bank in coordination with BASIS or
BCS may help every bank to develop internal comprehensive information security guideline.
Concentration of IT Education: There are 15 science and technology universities in

Bangladesh producing thousands of IT graduates every year. This has been observed that the
best graduates usually leave Bangladesh as there is less number of very good opportunities.
Information security infrastructure can create an excellent platform for these graduates for a
very good career. Moreover, around 50 percent of these universities are not really producing
graduates of international standards. Therefore, two things the Bangladesh government
should ensure as China has done: incorporating a comprehensive updated coursework in the
curriculum of IT education, and then creating a national information security platform to
accommodate these graduates.
The corporate sector of Bangladesh has not yet felt the pinch of information security
vulnerability much. Every industry in the country is still rising and therefore their strength
and resources are also still developing. There are some industries such as the Banking, Non22

Banking Financial Institutions, Telecommunication etc. which deal with millions of customer
and institutional information everyday. Especially the performance and reputation of banks
are largely sensitive to the information security. Some banks have already faced some
security threats and thus have born a good amount financial and reputation loss (such as
National Bank Limited). Lack of awareness, training of employees, unavailability of proper
expertise, guidelines and consultation has resulted in such loss. But the situation as expected
the respondents of the survey may deteriorate in the coming days. Banking sector in
Bangladesh has been rapidly expanding. Therefore there is a sheer need and importance of
information security. The study shows that banks in Bangladesh have different platforms of
information processing, sharing, and transferring. Many of these banks are facing physical
and online information damages regularly. Although many banks have their own ICT risk
management policy, lack of proper implementation of the policy is exposing more banks to
greater degree of insecurity of their institutional information, and also the information of
huge number of customers. The sensitivity of the issue is always quite high. Therefore, the
government and the Bangladesh Bank should take the lead in paving the way for ensuring
information security. As a banks success largely depends on its reputation in this competitive
age, an unprecedented event may lead to huge business loss. Therefore, the banking industry
as a whole should be aware enough to accommodate the issue of information security in its
own strategic policies.
23

REFERENCES
(i)
Anand, V., 2008, Future Security Threats Outlook, PC Quest, Available at:
http://www.iss.net/xforce_report_http://pcquest.ciol.com/2008/images/2008/index.html, April 05.
(ii)
Chaffey. D and Wood. S., 2005 Business Information Management: Improving

Performance Using Information Systems, First Edition, Prentice Hall.
(iii)
Chowdhury, J. R., 2001, Information Technology in Bangladesh Observer

Magazine, June 1, Bangladesh
(iv)
Coffey, K., 2003, Crooks Who Use Your ATM Card As A Passport To Your
Account, Available at:
http://kevincoffey.com/money/atm_debit_card_fraud_information.htm
(v)
Corbin. T., 2008, Letter sent to E-security Review Team, Attorney-Generals

Department, Consumers' Telecommunications Network, October 18. Available
from:http://www.ctn.org.au/content.cfm?Live=0&ContentType=Content&Content
ID=388
(vi)
Federal Bureau of Investigation, April 3, 2003, Testimony by James E. Farnan,

Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation,
before the House Financial Services Committee, Subcommittees on Financial
Institutions and Consumer Credit, and Oversight and Investigations, published on
FBI website, Available from:
http://financialservices.house.gov/media/pdf/040303jf.pdf.
(vii)
Financial Services Authority, November, 2004, Countering Financial Crime Risks

in Information Security, Financial Crime Sector Report.
(viii)
Georgia Tech Information Security Center, 2007, Emerging Cyber Threats Report
for 2008, Leading technology experts share thoughts on top emerging Internet
threats for 2008, October 2, Available from:
www.gtisc.gatech.edu/pdf/GTISC%20Cyber%20Threats%20Report.pdf
(ix)
Gupta, G. U. and Collins, W., 1997, The impact of information systems on the
efficiency of banks: an empirical investigation, Journal of Industrial Management
& Data Systems, Volume 97, Issue 1, Page 10 16.
(x)
Heath, N., 2009, The five biggest security threats facing businesses today: From
the poison pharms to the cloud's evil lining, February 04, Available from:
24

http://www.silicon.com/research/specialreports/future-proofing/the-five-biggestsecurity-threats-facing-businesses-today-39376850.htm
(xi)
Holappa, J., Ahonen, P., Eronen, J., Kajava, J., Kaksonen, T., Karjalainen, K.,
Pekka, J., Koivisto, Kuusela, E., Ville, Ollikainen, Rapeli, M., Sademies, A. &
Savola, R.,2005, Information Security Threats and Solutions in Digital Television:
The Service Developer's Perspective, VTT Electronics Research Notes 2306.
(xii)
James, G. D., 2007, Statistical Analysis of Internet Security Threats, March 25,
Available from:
http://www.infosecwriters.com/text_resources/pdf/Statistical_Analysis_Internet_
DJames.pdf
(xiii)
Joiner, B. ,2008, Information Security Update: Threats & Opportunities,

Presented at the Atlanta ARMA Meeting, Federal Reserve Bank of Atlanta
(xiv)
Keeney, M., Kowalski, E. National Threat Assessment Center, United States

Secret Service of Washington DC and Cappelli, D., Moore, A., Shimeall, T.,
Rogers, S. of CERT Program, Software Engineering Institute, Carnegie Mellon
University, Pittsburgh, PA, May 2005, Insider Threat Study: Computer System
Sabotage in Critical Infrastructure Sectors, Software Engineering Institute,
Carnegie Mellon University, Pittsburgh, PA.
(xv)
Kishore, P. , 2008, Experience in Implementing Security Measures at SBI

A Case Study, The State Bank of India.
(xvi)
Kun M. L., 2004, Emerging Technologies and Innovation in Banking: Drivers for
Growth, Gartner Inc., Miami.
(xvii) Laudon.J. and Laudon. K. Management Information Systems- Managing the

digital firms, 8th Edition, 2004-2005, Prentice Hall of India Private Ltd.
(xviii) Libicki, M., 2002, The future of information security, Institute for National
Strategic Studies, Washington, D.C.
(xix)
Libicki, M., 2008, The Future of Information Security, Available from:

http://www.fas.org/irp/threat/cyber/docs/infosec.htm
(xx)
Logica, 2008, Information security in the UK life, savings & investment and
pensions sector: A Logica snapshot survey, May 20.
(xxi) Merkow,M & Brelthaupt, J., Information Security Principles and Practices
25

(xxii) Nagaoka, H., Ukai, Y.
and
Takemura, T., 2006, Economic Analysis of
Information System Investment in Banking Industry: Chapter-Information System

Strategy of Nationwide Banks, Springer Tokyo, Pages 29-52
(xxiii) Network Magazine, 2003, Information Security: A new approach, Cover StoryApril.
(xxiv) Norn G, 2006, India and China from an Information Security Perspective,
Confederation of Swedish Enterprise.
(xxv) Petroni, A., 1999, Managing information systems contingencies in banks: a case
study, Journal on Disaster Prevention and Management, Volume: 8, Issue: 2,
Page: 101 110.
(xxvi) Pterides,L.A., 2004, knowledge Management, Information Systems, and
Organizations, Institute for the Study of Knowledge Management in Education,
Educause Centre for Applied Research, Colorado.
(xxvii) Rai,
A.,
2008,
Keeping
Digital
Vigil,
Available
from:
http://www.livemint.com/articles/2008/07/27220545/Keeping-a-digital-vigil.html,
July 28.
(xxviii)Raihan, A., 2001, Computerization and IT in the Banking Sector of Bangladesh:
Hindrances and Remedies. A paper presented in the National Seminar organized
by BIBM, June 09, Bangladesh
(xxix) Smith, N. G. and Oppenheim, C., 1994, The role of information systems and
technology (IS/IT) in investment banks, Journal of Information Science, Vol. 20,
No. 5, 323-333.
(xxx) Smullen, J., 1995, Financial management information and analysis for retail
banks, Woodhead Publishing Limited, October.
(xxxi) Strand, J., 2009, Future security threats: Enterprise attacks of 2009, Jan 12,
http://www.searchsecurityasia.com/content/future-security-threats-enterpriseattacks-2009.
(xxxii) Usher, A., 2006, Essential Strategies for Protecting Against the New Wave Of
Information Security Threats, Sharp Ideas LLC.
(xxxiii)Usmani,K.,2008, Information Security Threats and Measures, (CERT-MU)National Computer Board, Workshop on the adoption of Information Security
Standards,
Ebene
Cyber
Tower
26
Conference
Hall,
Available
from:

http://www.gov.mu/portal/sites/cert/files/presentations/Information%20Security%
20Threats1.pdf
(xxxiv) Watanabe, Y., Mizuno, Y., Yamada, K. and Inoue, S., 1998, New Financial
Information System for the Network Computing Era, Hitachi Review Vol. 47, No.
6.
27

Information Security Banking

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Banking

Uploaded by

Copyright:

Available Formats

See

The Status and Threats of Information Security in

Available from: Suborna Barua

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

The Status and Threats of Information Security in the

Electronic copy available at: http://ssrn.com/abstract=1569207

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Electronic copy available at: http://ssrn.com/abstract=1569207

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

threats include stolen user ID and passwords, unauthorized access to confidential

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

3. RESEARCH OBJECTIVES AND METHODOLOGY

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

4. IT BASED PRODUCTS AND SERVICES IN BANGLADESH BANKING SECTOR

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

INFORMATION SECURITY IN BANGLADESH

INFORMATION INSECURITIES AND THREATS IN BANGLADESHI BANKS

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Because of highly competitive market environment training up of employees within the

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Wireless networking: Networking without wire is very popular in Bangladesh. Wireless

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

5. CRITICAL FINDINGS AND ANALYSIS

5.1 Level of Use and Access of IT Platforms

Source: Information Security Survey on Bangladeshi Banks, 2009

Tele-banking is second most penetrated e-banking service in Bangladesh. ATM is gradually

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

Features (Level of Use)

Level of use by External

Level of use by Internal

Source: Information Security Survey on Bangladeshi Banks, 2009

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

5.2 Quality of Technology Used in Information Management

Table-3: Quality of Technology Used

(%) Very High

Source: Information Security Survey on Bangladeshi Banks, 2009

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

5.3 Risk Analysis

Source: Information Security Survey on Bangladeshi Banks, 2009

Table-6: Why Banks Perceive Riskier Information Environment

Source: Information Security Survey on Bangladeshi Banks, 2009

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

5.4 Policies Used By Banks in Bangladesh

Table-4: % of Banks Having Policies Regarding Information Sharing Platforms

Source: Information Security Survey on Bangladeshi Banks, 2009

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

5.5 Government Regulations on Information Security

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

depends on availability, reliability and integrity of its information technology system.

5.6 Challenges in Ensuring Information Security

Source: Information Security Survey on Bangladeshi Banks, 2009

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

No Adequate Preparedness: Adequate preparedness at the time of accident or damage

Under-prioritization by the Government: Bangladesh as a developing country is

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,

6. CONCLUSION AND RECOMMENDATION

Table -8: Suggestions to Ensure Better Information Security

Source: Information Security Survey on Bangladeshi Banks, 2009

Active Role of Government: In developing the information security infrastructure,

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737,