Maintain an up-to-date inventory of Assets, including business data/information
including customer data/information, business applications, supporting IT
infrastructure and facilities – hardware/software/network devices, key personnel,
services, etc. indicating their business criticality. The banks may have their own
framework/criteria for identifying critical assets.

Obtain extensive hardware and software insights about laptops, desktops and mobile devices from MDMP's Inventory management and reporting. By integrating with helpdesk solution-ServiceDesk Plus (SDP), devices criticality can be assigned.

Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing allowlisting of authorised applications / software/libraries, etc

Application management in Mobile Device Manager Plus provides application control by prohibiting of unwanted/malicious applications. Additionally, blocklist malicious apps and restrict unapproved apps from being installed on the device.

Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems.

MDMP's application management and app catalog feature can be leveraged to achieve installation/uninstallation from a central console. Additionally, blocklist malicious apps and restrict unapproved apps from being installed on the device.

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process.

All app and OS update information is synchronized with the Mobile Device Manager Plus server. Leverage the automated app and OS management feature to instantly deploy the latest app versions and critical security updates to your managed devices. Additionally, you can test and approve OS updates in a controlled test environment before rolling them out to business-critical devices, ensuring stability and compliance.

Document and apply baseline security requirements/configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically.

Mobile Device Manager Plus provides a dedicated configuration for security policies employable organisation wide or only for selected endpoints/users. Geo-tracking can help in locating lost devices and thereby prevent data loss. Device lockdown functionality can be achieved with Mobile Device Manager Plus.

Consider implementing measures such as installing a “containerized” apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications; measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered.

Containerization of corporate data can be achieved using Mobile Device Manager Plus, with ability to prevent clipboard access. Policies, restrictions and grouping based on device ownership (BYOD and COPE) can be configured. Ability to perform corporate wipe for Bring Your Own Devices and complete wipe for Corporate Owned, Personally Enabled devices during de-enrollment is possible. Geo-fencing abilities hosted by Mobile Device Manager Plus empowers the organisation to implement access management.

Implement measures to control installation of software on PCs/laptops, etc.

Dedicated app management module to install/uninstall app is available. Apps can be prohibited in the network and such prohibited apps can be uninstalled automatically from devices.

Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.

Remote administration, remote lock and wipe of mobile devices can be achieved using Mobile Device Manager Plus.

Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including but not limited to workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use.

Mobile Device Manager Plus's Secure USB feature allows network administrators to selectively limit the scope of USB instance usage by restricting or allowing full use. The ability to set the restriction either at the computer level or at the user level helps muster security with the flexibility to create and apply policies for USB access based on employee roles and departments.

Consider implementing centralised policies through Active Directory or Endpoint management systems to whitelist/blacklist/restrict removable media use.

As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorised for defined use and duration of use.

USB instances can be set to be blocked by default in the entire network, restriction can be revoked at user or device level, providing flexibilty on USB usage permission.

Consider implementing whitelisting of internet websites/systems.

Using Web content filtering or proxy configuration, IT admins can achieve whitelisting and blocklisting of URLs.

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software, ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction.

Device actions performed by admin, hardware and software added/removed are logged along with the timestamp, date, and username for audit purposes. Additionally, these changes can also be alerted to the concerned authority as an email message for immediate redressal, in case of contingencies.