Allana Inst of Management Sciences, Pune aimsjournal.org haridas.undri@gmail.com NO.: 2581-3137 (Online) NO. 2231 - 0290 ()UGC Approved Journal (Serial No. 43754)
A Study of Information System logical access controls for system administrator in urban cooperative banks in Pune Sadique Sache,Dr Manik Kadam Urban Co-Operative Banks,Security Systems,Access Controls,Confidenatiality,Integrity,Password 18-27 Volume 7, Issue1 July 2017 - December 2017 Information technology has revolutionized the entire banking scenario in the word. Banks cannot afford to stay aloof from the winds of changes in the information technology. In the last few years the changes in the banking domain and related technology have been tremendous. Banks to maintain their competitive advantage and legal requirements, have implemented various IT solutions. Most of the banks now have their entire data computerized. This computerization has given rise to new risk and issues and Information system security is now a major concern for all the banks. The role of a system administrator has come to the forefront in this scenario. The system administrator is responsible for ensuring the CAI (Confidentially, Availability and Integrity of the data. The objective of this paper is to understand the various logical access controls for system administrator in urban cooperative banks in Pune A Study of Information System logical access controls for system administrator in urban cooperative banks in PuneSadique Sache Dr Manik KadamBE,MBA,MPhil,CISA MSc,MBA,MPhil,PhDResearch Scholar, AIMS,Pune. Professor,MBA,AIMS,Pune.1.1 :-ABSTRACT:-Information technology has revolutionized the entire banking scenario in the word. Banks cannot afford to stay aloof from the winds of changes in the information technology. In the last few years the changes in the banking domain and related technology have been tremendous. Banks to maintain their competitive advantage and legal requirements, have implemented various IT solutions. Most of the banks now have their entire data computerized. This computerization has given rise to new risk and issues and Information system security is now a major concern for all the banks. The role of a system administrator has come to the forefront in this scenario. The system administrator is responsible for ensuring the CAI (Confidentially, Availability and Integrity of the data. The objective of this paper is to understand the various logical access controls for system administrator in urban cooperative banks in Pune1.2:-Introduction Banks world over are increasingly being computerized and this trend is likely to continue for the years to come. Use of Information Technology has become crucial for the success and survival of Financial Institutions. Information technology has broken the barriers of time, distance and speed and has dramatically changed the way transaction is done.Computer based information system differ from manual record system, in the way of concentration of information. In a manual system, the information is scattered across different locations in various files and folders. However, in a computer system all the necessary records are maintained at a single site or computer. So, for someone to gain access to all the information of the bank, he needs to just get access to one machine. This concentration of information system assets and records also increases the losses that can arise from computer system disaster or abuse. It is very well understood that the three pillars of information security are Confidentiality, Integrity and Availability (CIA) and it is the key role of the system administrator to ensure these 3 pillars remain intact for the smooth working of the bank.Confidentiality :- refers to prevention of unauthorized disclosure of information whether intentional or unintentional. Protecting confidentiality hinges upon defining and enforcing appropriate access levels for information. Doing so often involves separating information into discrete collections organized by who should have access to it and how sensitive it is.Integrity:- Integrity refers to the unauthorized modification of the data. An integral system ensures that changes to the data are made only by the authorized personnel. It also ensures that when authorized people make changes that shouldn't have been made the damage can be undone. The data is consistent across the system and there is no variation in it.Availability :- This concept of Information security ensures that the information is available to authorized users as and when required. 'Availability' ensures the system is working properly and is up and running whenever the required information is sought.The Indian Banking System broadly comprises the commercial banking and the Co-operative banking. The State Bank of India and its subsidiaries, public sector banks, regional rural banks and private sector banks represent the commercial banking system. The State Co-operative bank at the apex level, District Co-operative Bank at the district level and primary agricultural credit societies at the grass root level represents the Co-operative banking.As per the circular UBD. BPD.Cir.No. 71/12.09.000/2013-14, The Reserve Bank of India has advised Cooperative banks across India to introduce EDP Audit to mitigate the risks and issues arising from the adoption of computer technology. As per the circular, UCBs may adopt an IS audit policy, if not already done, appropriate to its level of operations, complexity of business and level of computerization and review the same at regular intervals in tune with guidelines issued by RBI from time to time. One of the key aspect of the EDP Audit is the validation of Information System Security Control.Since Urban Cooperative Banks are closer to the general public and because of the place specific and people specific nature, the researcher felt the need to understand logical access controls for system administrator in the Urban Cooperative Banks.1.2 :-Objectives of the StudyTo identify the various logical access controls for system administrator in Urban cooperative banks in Pune1.3:- Hypothesis :- "The implementation of logical access controls for system administrator in Urban Cooperative Banks are satisfactory"1.4.:-Research MethodologyThe research is divided into two partsPrimary ResearchSecondary ResearchThe following methodology is used for undertaking Primary ResearchQuestionnaire: - An exhaustive questionnaire was prepared to gather the primary information regarding the Information System logical access security controls in the Urban Cooperative Banks.Personal interview and Discussion: - Interviews and discussions were held with the various staff of the Urban Cooperative Banks to gather information to various question and queries in the questionnaire.Observation:- It is one of the most important methodology followed for gathering the information regarding the actual situation of Information System logical access security controls in the various Urban Cooperative Banks.The following methodology is used for undertaking Secondary ResearchLibrary: - Initially referring books, reports and journals from libraries of University of Pune, AIMS, etc was done to gather secondary information about the topic and to get an understanding of the various aspects of the subjects.Internet: - The Internet was surfed for related sites on Information System security control like isaca.org, itgi.org, sans.org, www.rbi.org.in etc.1.5:- Sampling:- As per the annual report of 2014-2015 of the Pune District Urban cooperative Banks Association Ltd. there around 36 cooperative banks in Pune. A random sampling of 19 Urban Cooperative Banks was taken for the research paper1.6:- Hypothesis Testing Hypothesis:- "The implementation of logical access controls for system administrator in Urban Cooperative Banks are satisfactory"Purpose :- The purpose of the hypothesis is to understand the implementation of logical access control for system administratorStatistical test: - sign binomial testVariables and measurement: - The bank system administrators were asked to provide information on the following areas related to the above hypothesis. The responses were later converted into 2-point scale (1= "Acceptable" and 2= "Not acceptable") using "The recode into different variable" command of IBM SPSS 21.Sr. NoVariable1Dedicated system administrator2Backup system administrator3Period for password change4Maximum length of the password acceptable5Minimum length of the password acceptable6Acceptance of alphanumeric characters7Acceptance of previous password as change password8Automatic disconnection of login session9Deactivation of logon ids not used for a number of days10Time for deactivation11Permanent deactivation of login ids with multiple attempts of incorrect password12Track of unsuccessful trails13Change of password on the first access to the system14Password of an employee who has been transferred15User groups creation16Restricted menu display for each user profileTest proportion: - Test proportion was taken as 0.5. Since more than 50% of favorable responses to a category suggest greater approval for this category.Hence P=0.5H0 :- P0.5 (Proportion of response indicating "The implementation of logical access controls for system administrator in Urban Cooperative Banks are satisfactory " is more than 50%)Level of significance = 0.05CategoryNObserved Prop.Test Prop.Exact Sig. (2-tailed)Who is the system administratorGroup 1Not acceptable30.160.5p=0.04Group 2Acceptable160.84Total191Are there more than one system administratorsGroup 1Not acceptable60.320.5p=0.167Group 2Acceptable130.68Total191How often is the password for the system administrators changedGroup 1Acceptable160.840.5p=0.004Group 2Not acceptable30.16Total191What is the maximum length of the password acceptableGroup 1Acceptable1910.5p=0.000Total191What is the minimum length of the password acceptableGroup 1Not acceptable10.050.5p=0.000Group 2Acceptable180.95Total191Does the password allows alphanumeric charactersGroup 1Acceptable1910.5p=0.000Total191Does the system allows a previous password as change passwordGroup 1Acceptable1910.5p=0.000Total191Does the system automatically disconnects a login session if no activity has occurred for a period of timeGroup 1Acceptable1910.5p=0.000Total191Are logon ids not used for a number of days deactivatedGroup 1Acceptable180.950.5p=0.000Group 2310.05Total191What is the time periodGroup 1Acceptable170.890.5p=0.001Group 2Not acceptable20.11Total191If a wrong password is entered for a predefined number of time is it permanently deactivatedGroup 1Not acceptable30.160.5p=0.004Group 2Acceptable160.84Total191Does the system keeps track of unsuccessful trailsGroup 1Not acceptable70.370.5p=0.359Group 2Acceptable120.63Total191Is a client forced to change his password on his first access to the systemGroup 1Acceptable1910.5p=0.000Total191What is done to the password of an employee who has been transferredGroup 1Acceptable150.7905p=0.019Group 2Not acceptable40.21Total191Are the user groups createdGroup 1Acceptable1910.5p=0.000Total191Is there a restricted menu display for each user profileGroup 1Acceptable1910.5p=0.000Total1911.7:- Interpretation Dedicated system administratorObserved proportion: 0.84, Test proportion: 0.5 , p0.05Hence more than 50% of the banks have a backup system administrator which is an acceptable practice.Period for password changeObserved proportion: 0.84, Test proportion: 0.5, p