Table of ContentsTopic Page 1. Introduction1 2. Purpose and Scope1 3. Definitions1 4. Roles and Responsibilities 02 03 Board of Directors2 ONE Bank Senior Management2 Information Technology Division Head2 Network Manager2 System Administrator2 Database Administrator3 Data Center Manager3 Branch Managers, Other Divisional Heads and Employees3 Internal IT Auditor3 Vendors, Subcontractors and Outsourcers3 5. Physical Security 03 08 Control Standards - Data Center Physical Access5 Control Standards - Business Unit Network Server Physical Access6 7 | Page

Control Standards - Business Unit End User Workstation Physical Access6

Control Standards - End User Portable Laptop Computers Physical Access6 Environmental Threats and Controls7 Backup Power for Power Outage Situations7 Emergency Power-off Switches7 Emergency Lighting7 Water Sensors and Temperature/Humidity Alarms7 Fire Detection and Suppression Controls8 Site Construction Capabilities8 6. Logical Security 08 12 Identification and Authentication9 Data Integrity and Confidentiality10 Virus Protection10 Spyware Protection11 Data Encryption11 Information Disclosure12 7. Email Security13 8. Internet Security15 9. Network Security16 10. Disaster Recovery 17 18 Disaster Recovery Plan17 Data Backup18

Table of ContentsTopic Page 11. Change Request Management18 12. Hardware Management20 13. System Development and Testing 21 26 Project Initiation21 Development Tools Selection22 Team Assignment22 Preliminary Analysis23 Project Plan Preparation23 System Design Documentation24Coding24 Testing25 Data Migration25 Backup Policy25 Deployment25 Security Measures26 14. Internet Banking26 15. Service Provider Management27 16. Training27 17. Internal IT Audit27 18. Disciplinary Actions2819. Green Banking28Benefits of Emerging ICT & E-banking 29 30 Conclusion and Findings 30 31

ONE BANK LIMITEDS PROFILEONE Bank Limited was incorporated in May, 1999 With the Registrar of Joint Stock Companies under the Companies Act. 1994, as a commercial bank in the private sector. The Bank is pledge-bound to serve the customers and the community with utmost dedication. The prime focus is on efficiency, transparency, precision and motivation with the spirit and conviction to excel as ONE Bank in both value and image.

Address: Corporate Head Quarters-HRC Bhaban, 46, Kawran Bazar, Dhaka 1215, Bangladesh

The name 'ONE Bank' is derived from the insight and long nourished feelings of the promoters to reach out to the people of all walks of life and progress together towards prosperity in a spirit of oneness.While financing the industrial sector, the major concentration of the bank appeared to be in the textile and RMG sector; both the above sectors cover 30.89% of the total portfolio. OBL also involved in cement construction and transport sector financing. In the investment portfolio, OBL have substantial investment in quoted and non-quoted shares of different organization including some very prospective financial institutions. The bank has shown its acumen in reducing its exposure from ship scrapping sector, steel re-rolling where the bank had investment earlier. With the increase in exposure to RMG, the bank has increased its non-funded business income substantially. With an age of only 8 years, the OBL has taken initiative to launch IT based banking products like ATM facilities, E-banking etc that are praiseworthy.THIRD GENERATION PRIVATE COMMERCIAL BANKOBL is a private sector commercial bank dedicated in the business line of taking deposits from public through its various saving schemes and lending the fund in various sectors at a higher margin. However, due attention is given in respect of risk undertaking, risk hedging and if not appropriately hedged, reflection of the same in pricing. In the financing side, the bank's major concentration is in trade finance covering about 20.88% of total financing as on YE2006 which is mainly a short-term investment. The banks financing concentrate in both, working capital finance and long-term finance. Vision Statement - To establish ONE Bank Limited as a Role Model in the Banking Sector of Bangladesh. - To meet the needs of our Customers, Provide fulfillment for our People and create Shareholder Value.Mission Statement - To constantly seek to better serve our Customers. - Be pro-active in fulfilling our Social Responsibilities. - To review all business lines regularly and develop the Best Practices in the industry. - Working environment to be supportive of Teamwork, enabling the Employees to perform to the very best of their abilities.1. Introduction:

Information Security is a crucial issue for organizations, especially for banking and financial institutions. It can be defined as preservation of confidentiality, integrity and availability of information. ONE Bank Limited considers Information as the most precious asset, which is to be protected and safeguarded like all other valuable assets. However information asset has uniqueness not merely because it is intangible but because securing this asset face unique situation this is one asset that can be unlawfully used without depriving the legitimate owner from its possession. A comprehensive ICT Security Policy must be in place to set objectives for the organization as regards the protection of its informational assets. The management of ONE Bank Limited has initiated and continues to sustain the effort to the development of this ICT Security Policy.

2. Purpose and Scope:

The primary purpose of this Policy is to establish standards to insure the protection of confidential and / or sensitive information stored or transmitted electronically and to ensure protection of the Bank's information technology resources. The policy provides guidelines to protect the Batik's systems and data against misuse and/or loss and explains roles and responsibilities of individuals regarding communication of and compliance with the standards. Information security is the team effort. It requires the participation and support of all members of the Bank who work with information systems. Thus, each employee must comply with the requirements of the information security policy and its related documentation. Employees who deliberately or through negligence violate information security policy will be subject to disciplinary action or dismissal. This Security Policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of computers, networks, applications, operating systems and/or data owned or operated by the Bank.

3. Definitions:

Access Control: refers to the rules and deployment mechanisms which control access to information systems, and physical access to premises.

Authorized User: is a person who has been authorized to gain access to the Bank network, computer systems and computer information.

Change: means any implementation of new functionality, any interruption of service, any repair of existing functionality or any removal of existing functionality.Change Management: is the process of controlling modifications to hardware, software, firmware, and documentation to ensure that Information Resources are protected against improper modification before, during, and after system implementation. Data Center: is a centralized repository for the storage, management, and dissemination of data and information pertaining to a particular business. Data Integrity: is the assurance that information can only be accessed or modified by those authorized to do so. Disaster: is an occurrence inflicting widespread destruction and/or distress. For the purposes of this document this means that the facilities, computing resources, or major components thereof, are deemed unavailable for operations. Firewall: is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. Information System: is one or more computers, associated peripherals and software which operate together to perform a definable Bank function. Information Technology Resource: is any information, including but not limited to information stored in electronic format and/or the tools used to access and make use of that information (including but not limited to computer programs and applications, databases, computer systems and networks). Network: is a series of points, including computers and other devices, interconnected by communication paths. Networks include interconnections with other networks and sub networks and may carry voice, data or other types of signals. Proxy Server: is a server that sits between a client application and a real server. In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. Scheduled Change: Formal notification received, reviewed, and approved by the review process in advance of the change being made. Security Breach: is a type of activity which includes, but is not limited to, an unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data. And changes to hardware, firmware or software are made without appropriate approvals. Sensitive Information: is information maintained by the Bank which requires special precautions to ensure its accuracy and integrity. It is information that requires a high level of assurance of accuracy and completeness Unscheduled Change: Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of security vulnerability. 4. Roles and Responsibilities:

Board of Directors Approval of the ICT Security Policy is vested with the Board of Directors. They are also responsible for reviewing the changes of the ICT Security Policy from time to time. Board of Directors will review the IT security compliance report that will be prepared by Internal IT. They will also provide guidance and assistance to IT Division in the enforcement of ICT Security Policy.

ONE Bank Senior Management The ONE Bank Senior Management will ensure implementation of all application / process specific information standards and provide advice and guidance from time to time regarding the same. They are also responsible for pointing out discrepancies in the standards and for requesting waivers from the Information Technology Division Head to particular standards if that would be in the bank's interest from a regulatory, financial or business driven viewpoint.

Information Technology Division Head The ONE Bank Information Technology Division Head is responsible for the timely release of new standards and updates to existing standards, and also liaising with the policies, procedures and standards utility group. The Information Technology Division Head is also the first point of contact (along with Audit) for all security incidents and investigating what actions should be taken to stop such incidents from occurring in the future.

Network Manager The ONE Bank Network Manager is responsible for the overall management of network resources like LAN, WAN and Corporate E-mail. He/she will also be responsible for establishing Firewall and related softwares so as to protect Information Resources from external attack.

System Administrator The ONE Bank System Administrator provides first level services on operating systems such as Windows, Linux and UNIX. He/she will also provide use rids and data access rights. He/she will be responsible for the monitoring of access violations and access rights recertification to the application system resources. Database Administrator The ONE Bank Database Administrator is responsible for the installation, configuration and performance tuning of the database system. He/she is also responsible for publishing the backup and, recovery strategy and overall management and monitoring of the storage system. Data Center Manager The ONE Bank Data Center Manager is responsible for the security of the data center and the overall management of data center resources and operations. He/she will also be responsible for ensuring the availability of Disaster Recovery Site (DRS) in case of any failure at production end.

Branch Managers, Other Divisional Heads and Employees Managers and Divisional Heads will ensure that their employees have access to the information standards in a format that they understand, that they have read them and that they are aware of the implications of non-compliance. All employees are required to understand and comply with all the information security standards. Failure to do so could result in disciplinary action, and in extreme cases dismissal and/or legal action. Internal IT Auditor Internal IT auditor will periodically visit key IT installations in the data center, disaster recovery site, branches, and head office to conduct IT audit. A team of IT experts will be working under the internal IT auditor.

Vendors, Subcontractors and Outsourcers In the provision of Information Systems services, suppliers must comply with the ONE Bank Information Security Standards as they apply to hardware, software, and related procedures and processes. All Supplier employees or their subcontractors working on ONE Bank projects are required to understand and comply with ONE Bank Information Security Standards. Failure to do so will result in them being reported to their management for appropriate disciplinary action to be taken.

5. Physical Security:

Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility where server machines are located, to simple measures taken to protect a User's display screen. Physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unintended access to these areas. Control Standards - Data Center Physical Access The information processed here is normally deemed critical to ONE Bank operations and is of a sensitive nature in terms of confidentiality issues. Correspondingly, access controls to the data center require a high level of personnel restriction and authentication to safeguard the information processed therein. Normal access control standards utilized within data centers should include: Card key access for authorized individuals to gain entrance. Logging of card key access use for audit trail purposes retained for 12 months. A visitor access log to record non-Data Center personnel visits including vendor, maintenance, and cleaning crew people. All visitors must be escorted while in the Data Center. All personnel should wear visible identification within the secure area and are encouraged to challenge strangers. Regular review by the Data Center Manager of the authorization list for Data Center access and the Data Center Visitors Log. Personnel should only be afforded access only when required and authorized. Photographic, recording or video equipment should not be allowed to be brought into the secure area unless authorized. Where possible, internal monitoring of data center activity (CCTV) by Data Center Manager or by authorized personnel. Mobile phone with built-in camera facility should not be allowed to enter into the data center. Appropriate physical construction standards to discourage unauthorized access attempts such as: - True floor to ceiling Data Center perimeter walls and where appropriate motion detectors in the surrounding areas to detect unauthorized access attempts. - Automatic door closers on all doors. Doors into the secure area should not be propped open at any time, unless security guard is placed at the door. - The absence of entrance vulnerabilities such as windows or external hinges on entrance doors to the Data Center. ONE Bank Limited All Rights Reserved Page 6 of 28 - Data Centers should be sited away from Public Areas or direct approach by public vehicles. Control Standards - Business Unit Network Server Physical Access Local area networks (LANs) utilized by the business units to accomplish their functions should have the following physical access control standards applied: Network servers must be located in an area free from physical dangers (e.g., high traffic areas, water leaks, fire hazards, etc.). Access to the servers must be physical ly restricted to authorized personnel (network administrators) by locating them in a closed area (e.g., a locked office). Additionally, unauthorized system access via bypass booting of the server (to defeat password authentication) must be prevented. Software scheduled to be installed on the network server must be scanned for viruses on a separate machine before being loaded. All equipment should be maintained as defined in the manufacturer's guidelines.

Control Standards - Business Unit End User Workstation Physical Access Workstations must be located in an area free from physical dangers (e.g., high traffic areas, water leaks, fire hazards, etc.). Workstations connected to the network must store sensitive information on file server drives and not local drives. Information stored on floppy disks must be physically secured in a manner appropriate to its sensitivity level. Software to be used on the workstation must be scanned for viruses. All equipment should be maintained as defined in the manufacturer's guidelines.

Control Standards End User Portable Laptop Computers Physical Access. Due to the high risk of loss due to portability, laptop computers must be traceable to individual users, and sensitive data (to the extent possible) must NOT' be stored on the unit's permanent disk drive. Portable laptop computers containing highly sensitive data (non-disclosure) must be protected using a PC Security/Disk Encryption Package. ONE Bank Limited All Rights Reserved Page 7 of 28 All portable laptops should be physically secured via an appropriate security device or locked away in a desk or cupboard during any period that the unit is left unattended (normal business hours inclusive). Al l portable computers that are used for company business must have a "Power-On" password set. The use of passwords must follow the guidelines specified in this document. When traveling, laptops and media should be carried as hand luggage and should not be left unattended in public places. All equipment should be maintained as defined in the manufacturer's guidelines.

Environmental Threats and Controls. Backup Power for Power Outage Situations Server and Network computer systems and their supporting infrastructure (air conditioning systems and security alarm systems where applicable) must have a dependable, consistent electrical power supply that is free from surges and interference that could affect operation of the equipment. Backup power is necessary to ensure that computer services are in a constant state of readiness and to help avoid damage to equipment if normal power is lost. A back up Uninterruptible Power Supply (UPS System) must be utilized for the computer systems and supporting equipment. Where appropriate, generators and batteries must also be employed to ensure survivability of operations. In areas susceptible to outages of more than 15 to 30 minutes, diesel generators are recommended. Backup power facilities must be regularly tested to ensure reliable functionality. Emergency Power-off Switches In data centers, emergency power off switches, that shut off all power supplies, must be installed and be readily accessible with posted notices showing their location. Where justified, the use of these switches must be protected against unauthorized physical access. Emergency Lighting In data centers and network server closed areas, automatic emergency lighting should be provided for use during power outages. Water Sensors and Temperature/Humidity Alarms The computer environment should be protected from all forms of water, temperature and humidity damage. Locations with the potential for water damage must be avoided when selecting information processing areas (e.g., locations below/around level, or those under sewer lines, showers, cafeterias, or similar facilities where water or drainage malfunctions could occur). In data center environments, sensors and alarms must be installed to monitor the environment surrounding the equipment to ensure that air, humidity and cooling water temperatures remain within the levels specified by equipment design. Water sensors should be placed in the floor and ceiling to ensure leakage detection. If proper conditions are not maintained, alarm systems should be configured to summon operations and maintenance personnel to correct the situation before a business interruption occurs. Fire Detection and Suppression Controls Measures should be taken to minimize the risks and effects of a fire occurring within the information processing areas, or from spreading into these areas from an adjoining location. Hazardous and Combustible material should be stored securely at a safe distance from the Data Center. Computer supplies, such as stationery should not be stored within the computer room. The degree of automatic fire detection and suppression mechanisms deployed depends upon the criticality of the operation attributed to the information processing system. Data centers should have an approved inert gas based systems and heat sensors installed, while closed area network server rooms may only have smoke detectors and fire extinguishers. Regardless, fire detection and suppression mechanisms must be utilized in the information processing areas. Where possible, detection devices must notify appropriate personnel. Site Construction Capabilities The building which contains the information processing areas must minimally conform to local construction regulations especially with regard to natural physical security threats (fire, flood, earthquake, hurricane, etc.). Selection of new sites must consider the presence of such threats and avoid high risk conditions where possible. 6. Logical Security:

Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks. Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.

Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to bank resources, including computers maintained for a small group or for an individual's own use. Identification and Authentication Identification is the process of uniquely distinguishing one User from another to establish accountability. Authentication is the process of verifying the identity of a User. This can be accomplished by a password or PIN. The general requirements for Identification and Authentication are as follows: 1. Each User must be uniquely identified. For example, a user ID must not be assigned to more than one person. 2. A User should not be assigned with more than one user id on the same application. 3. Each User must be identified and authenticated before performing any actions on the system. 4. The authentication process must be limited to a number of unsuccessful attempts (maximum 3). 5. A user, user-id or account should not be able to logon to the same application / system more than once, at the same time i.e. multiple concurrent logons with the same id. 6. Authentication information, e.g., password or PIN, must never be disclosed to another User or shared among Users. 7. Passwords should not be recorded where they may be easily obtained. 8. Passwords are required to be a Minimum length of Eight (6) characters. 9. Passwords must contain at least one alphabetic and one numeric character 10. Passwords must not be the same as the User identifier. 11. Passwords must not be easily guessable and must not be connected with the User in any way. 12. User needs to change passwords within 30 to 90 days. 13. Branch Managers, Department Heads, and Supervisors should notify the IT Manager promptly whenever an employee leaves the Bank or transfers to another department/division/branch so that his/her access can be revoked. 14. System administrators are responsible for publicizing the procedure for changing passwords.

Data Integrity and Confidentiality The goals of Data Integrity and Confidentiality are to ensure the continued availability and accessibility of information, to reduce the risk that data may become corrupted by an external influence such as a Virus; and to ensure that client confidentiality is maintained at all times. Virus Protection Computer viruses are programs designed to make unauthorized changes to programs and data. Therefore, viruses can cause destruction of corporate resources. It is important to know that computer viruses are much easier to prevent than to cure and defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software. Virus prevention technology, (e.g., virus scanning software) must be implemented for any platform susceptible to viruses. The following scanning procedures must be adhered to: Information Technology Division shall install and maintain appropriate antivirus software on all computers. IT division ensures that every day, at boot up of the PC, memory and boot Sector viruses will be scanned. No files need to be scanned at this stage. IT division shall configure a Virus Shield to scan all accessed files (network, hard disk or floppy disk) whilst the operating system (e.g. Windows) is running. Employees shall not knowingly introduce a computer virus into Bank computers. Employees shall not load diskettes of unknown origin. Each user shall scan all files of the PC once a week Laptop users should be able to break out of the weekly full file scan so that they can opt to run the scan when they are not using their internal batteries. Laptop users should be educated about the need to run a full virus scans at least once a week. If a user does break-out of a full scan, the PC should continue to try and run a scan every time the PC' is booted until a full scan has been completed. File Servers should be configured to scan all files on access. ONE Bank Limited All Rights Reserved Page 11 of 28 Weekly scans should be undertaken of all file server files. Laptop users should be notified by E-Mail whenever Virus Signature files need to be updated. The update process should be performed automatically when the Laptop is connected to the LAN.

Spyware Protection Spyware and adware can compromise system performance and al low sensitive information to be transmitted outside the organization. Spy ware installation programs can launch even when users are performing legitimate operations, such as installing a company-approved application. As a result, combating spy ware requires user vigilance as well as IT management and control. The following control mechanisms must be adhered to: Information Technology division shall install and update appropriate anti-Spy-ware software on all computers. IT division shall respond to all reports of spy ware installation, remove spy-ware modules, restore system functionality, and document each incident. Employees shall not knowingly al low spy ware to install on company computers. Employees shall perform anti-spy ware run anti-spy ware programs regularly, as directed by the IT division.

Data Encryption Encryption is one of' the most powerful methods of protecting data. It is the process of making readable information unreadable through a sophisticated mathematical conversion process. It is important for both data transmission and data storage. Encryption is critical for transmission whenever sensitive data is being transmitted over an insecure network such as the Internet. It is important for storage whenever the data is subject to compromise. It is wise to encrypt stored data when a machine is shared between multiple users and for laptops that are often a target for thieves. Proven, standard algorithms such as DES, Blowfish, RSA, RCS and IDEA should be used as the basis for encryption technologies. Key length should be carefully evaluated in light of algorithm in use and the value of the data or system being protected. Moreover, all encryption mechanisms implemented to comply with this policy must support a minimum industry standard key length.

Information Disclosure The Bank reaffirms its commitment to transparency and accountability in all of its activities. Information concerning the Bank and its activities will be made available to the public in the absence of a compelling reason for confidentiality. Some restrictions on availability to the public of Bank information are necessary to ensure the effective functioning of the Bank and the need to avoid material harm to the business and competitive interests of the Bank's clients. General controls on information disclosure are as follows: Document s and information prepared by the Board of Directors, the management and staff (including consultants and advisors) of the Bank for internal use are confidential in nature and will not be made available to the Public. Privileged information such as legal advice and matters in legal dispute or under negotiation are confidential in nature and will not be made available to the public. The Bank receives some documents and information from outside parties with the explicit or implicit understanding that their distribution within the Bank will be limited, that they will not be disclosed outside of the Bank, or that they may not be disclosed outside of the Bank without the express consent of the source. The Bank will respect such understanding and act accordingly. Internal financial information which may affect the Banks activities in capital and financial markets or to which such markets may be sensitive, including, but not limited to, liquidity investments, estimates of future borrowings and redemptions of borrowings, expected rates of interest, rates of return and financial ratios, financial forecasts and models, and documents dealing with financial matters not yet approved by the corresponding Bank authorities shall not be made public. The Bank, as a financial institution promoting the development of and investment by private sector enterprises, has a duty to its clients to respect their confidential business information. Accordingly, financial, business or proprietary documents or information of private sector entities received by the Bank will not be disclosed, unless permission is given by those private sector entities to release such information to the public. The Bank will not disclose documents, reports or communications in circumstances where disclosure would violate applicable law, such as restrictions imposed by securities or banking laws, or could subject the Bank to undue litigation risk. Applications must be designed and computers must be used so as to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable policies. Users who are authorized to obtain data must ensure that it is protected to the extent required by policy after they obtain it. For example, when sensitive data is transferred from a well-secured server system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data". 7. Email Security: Email is electronic mail, using computers to transmit messages via data communications to electronic "mailboxes". Email is corporate as set and critical component of Communication systems. The Email system is provided by the bank for employees to facilitate the performance of bank work and their contents are the property of the bank. Although the bank does not make a practice of monitoring these systems, management reserves the right to retrieve the contents for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or to recover from system failure. The following guidelines apply equally to all individuals granted access privileges to any ONE Bank's information resource with the capacity to send, receive, or store electronic mail: Personal use of Email by employees is allowable but should not interfere with or conflict with business use. Employees should exercise good judgment regarding the reasonableness of personal use. Employees and authorized users are responsible to maintain the security of their account and their password. They should change their password quarterly and take precautions to prevent unauthorized access to their mailbox by logging off when possible if their terminal is unattended. Electronic mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of ONE Bank Limited or any unit of the Bank unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing the Bank. An example of a simple disclaimer is: "the opinions expressed are my own, and not necessarily those of in), employer." Individuals must not send, forward or receive confidential or sensitive ONE Bank's information through non- ONE Bank's email accounts. Examples of non- ONE Bank's email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and email provided by other Internet Service Providers (ISP). The following, activities are prohibited by policy: Sending email that is intimidating or harassing. Using email for conducting personal business. Using email for purposes of political lobbying or campaigning. Violating copyright laws by inappropriately distributing protected works. Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role. The use of unauthorized e-mail software. Sending unsolicited messages to large groups except as required to conduct usual of the bank business. Sending excessively large messages Sending or forwarding email that is likely to contain computer viruses. Sensitive information (client details and corporate confidential) being sent via E-Mail should be sent as an attachment and not as part of the body of the message. Attachments including client or corporate sensitive information should be password protected. All messages which have attachments containing client or corporate sensitive information should be transmitted using the "Return Receipt" and "High" Priority options set. Password secure attachments should have their passwords transmitted to the recipient in a secure manner. The password should not be included as part of the Message text or sent to a fax machine, but should ideally be telephoned through to the recipient in person. All passwords used for message encryption must follow the standards relating to password definition detailed earlier in this document. The identity of the sender of an incoming message must be clearly established as trusted before the message is copied to any ONE Bank internal network. All incoming files must be specifically virus checked. For important items, acknowledgement of the e-mail must be done so that the sender can be assured that his/her email is not lost. While composing email, punctuation and spelling must be checked carefully as it can reflect organizations reputation. 8. Internet Security: The Internet provides a source of information that can benefit every professional discipline. It is comprised of thousands of interconnected networks which provide digital pathways to millions of information sites. Because these networks subscribe to a common set of standards and protocols, users have worldwide access to Internet hosts and their associated applications and databases. Whereas the use of internet can boost up employee's job efficiency and increase Bank's performance, there are also risks of improper uses of internet. The policy intends to provide employees with a guideline about which uses of the Internet is proper and which uses are improper. Internet facility should be provided to limited personnel like Branch Manager, Divisional lead and to some officials specifically authorized by managers, divisional heads. ONE Bank, Limited provides computers and Internet connections ("facilities") to further its business interests. Use of such facilities other than for Bank's business is strictly prohibited. The Bank has the right, but not the duty, to monitor all communications and downloads that pass through its facilities, at its sole discretion. During working hours, access job-related information, as needed, to meet the requirements of the jobs. During, working hours, participate in news groups, chat sessions, and E-mail discussion groups (list servers), provided these sessions have a direct relationship to the user's job with the Division / Branch. If personal opinions are expressed, a disclaimer should be included stating that this is not an official position of the Division / Branch. Employees are prohibited from initiating non work-related Internet sessions using Bank's information resources. Downloading a file from the Internet can bring vi ruses with it . Scan all downloaded files with standard virus prevention software provided by Information Technology Division. Unless otherwise noted, all software on the Internet should be considered copyrighted work. You may not download or use material from the Internet or elsewhere in violation of software licenses, or the copyright trademark and patent laws. You may not install or use any software obtained over the Internet without written permission from the Systems Administrator. If you observe or loam about a violation of this policy, you must report it immediately to your supervisor, or to the Systems Administrator. All software used to access the Internet shall be configured to use the firewall http proxy. No offensive or harassing material may be made available via ONE Bank's Web sites. No personal commercial advertising may be made available via ONE Bank's Web sites. Sensitive information such as passwords and credit card numbers should not be sent via the Internet unless encrypted.

9. Network Security: The network security policy is intended to protect the integrity of bank- networks and to mitigate the risks and losses associated with security threats to bank networks and network resources. Attacks and security incidents constitute a risk to the Bank's business mission. Network department of Information Technology Division is responsible for the Bank's network infrastructure and will continue to manage further developments and enhancements to this infrastructure. The networking addresses for the supported protocols are allocated, registered and managed centrally by network department of Information Technology division. Core Banking System (CBS) should run on separate LAN and should not be mixed with the common LAN used for office work. Network managers will implement appropriate controls to ensure that connected users or computer services do not compromise the security of any other networked service. Network cabling should be installed and maintained by qualified engineers to ensure the integrity of both the cabling and the wall mounted sockets. Any unused network wall sockets should be sealed-off and their status formally noted. Network manager is responsible for conducting periodic reviews of implemented security plans, measures, procedures and controls. Network manager must initiate an investigation of any suspected security breach of Bank's network and is responsible for documenting the suspected breach and actions taken. Network equipment must be kept in a locked environment, only accessible by authorized systems support personnel. Firewalls must be installed and configured. Proxy server must be installed and configured to allow users to surf the web and e-mail anonymously. Users are permitted to use only those network addresses issued to them by network department of Information Technology division. Users must not extend or re-transmit network services in any way. This means user must not install a router, switch or hub to the Bank's network without approval from network department of Information Technology division. Users are not permitted to alter network hardware in any way. Users must not download, install or run security programs or utilities that reveal weaknesses in the security of the system. For example, users must not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the Bank's network infrastructure.

10. Disaster Recovery: Disaster recovery and business continuity refers to an organization's ability to recover from a disaster and/or unexpected event and resume and continue operations. Organizations should have a plan in place (usually referred to as a "Disaster Recovery Plan", or "Business Continuity Plan") that outlines how this will be accomplished. Disaster Recovery Plan There must be a separate Disaster Recovery Site other than production site which is at least 10kms away from the production site. The Information Technology Division should develop a comprehensive disaster recovery plan. The plan will cover the following: 1. Identification and prioritization of critical business processes. 2. Identification and agreement of all responsibilities and emergency arrangements for business continuity planning and recovery. 3. Call Tree' and contact details, 4. Documentation of workarounds (electronic and manual) and/or rectification procedures, and a linkage to any relevant reference material or documents. 5. Appropriate education of staff in the execution of the agreed emergency procedures and processes. 6. Checklists and procedure guidelines to assist various divisions and branches to recover from a crisis or disaster. 7. Testing of the plans. 8. Updating of the plans.

A formal risk assessment should be undertaken in order to determine the requirements for the disaster recovery plan. ONE Bank Limited All Rights Reserved Page 18 of 28

The disaster recovery plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. The disaster recovery plan should cover all essential and critical business activities. The disaster recovery plan is to be kept up to date to take into account changing circumstances. All staff must be made aware of the disaster recovery plan and their own roles within.

Data Backup The goals of Backup are to: 1. Ensure the continued availability and accessibility of information; 2. Minimize the cost of a disruption, e.g., operational error, disaster, or sabotage that causes damage to, or destruction of information; and 3. Provide duplicate up-to-date information for recovery purposes with the same level of integrity and quality Backup copies of information must be stored off-site at a geographically separate and safe facility, far enough away from the main site, such that a disaster there is unlikely to affect the safe store. Where practical, at least one backup copy must remain on-site for time critical delivery. The frequency and extent of backups must be in accordance with the importance of the information. The backup cycle might be daily, monthly and yearly cycle. Tapes should be sent off-site as soon as possible after the backups have been taken, and NOT left on-site till the next day. When the technology used to process, store, or communicate information is changed, backup procedures must also be updated. Backups must lie periodically tested to ensure that they are recoverable. 11. Change Request Management: The Information Technology (IT) infrastructure at ONE Bank, Limited is expanding and continuously becoming more complex. From time to time each Information Resources (IR) element requires an outage for planned upgrades, maintenance or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance or fine-tuning. As the interdependency between Information Resources grows, the need for strong change management process is essential. Managing these changes is a critical part of providing a robust and valuable IT infrastructure. The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly. Every change to a ONE Bank Information Technology resource such as: operating systems, computing hardware, networks, and applications are subject to the Change Management Policy and must follow the Change Management Procedures. A Change Management Committee will meet regularly to review change requests and to ensure that change reviews and communications arc being satisfactorily performed. A formal written change request must be submitted for all changes, both scheduled and unscheduled. All scheduled change requests must be submitted in accordance with change management Procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request. Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change. The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate back out plans, the timing of the change will negatively impact a key business process such as year-end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events. A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not. A Change Management Log must be maintained for all changes. The log must contain, but is not limited to: 1. Date of submission and date of change 2. Owner and custodian contact information 3. Nature of the change 4. Indication of success or failure Status of all change requests must be notified to Help Desk. Changes must not be incorporated to production environment unless proper User Acceptance Test is done. Testing should be done in a separate test environment. All the software patches, upgrades that are supplied by Vendor needs to be deployed at test environment prior to implementing in production environment.

12. Hardware Management: As hardware technology rapidly advances, it becomes increasingly important for the Bank to remain as up-to-date as possible. Although there may be some usefulness for legacy machines, computer systems older than three years should be seriously considered for replacement. Older systems are often more expensive in the long run than purchasing a new replacement machine. This is due to the cost of maintenance and the replacement of non-warranty parts. Computer equipment is easily damaged, destroyed or rendered inoperable due to incorrect installation of hardware. Even the simplest modification may turn out to be an expensive disaster. Employees of the Bank must contact the Information Technology Division for all computer hardware changes. Information Technology staff will make every effort to repair broken or malfunctioning equipment on site at no expense to the Bank. If Information Technology staff is unable to repair equipment internally, it may choose to either send the component out for repair, or to have someone come on site. If it is found to be "not economically feasible" to repair, replacement of the same, needs to be done. Any portable media viz. flash drive, Floppy drive, CD drive and DVD drive should be disabled in the machine running CBS. In case of any need to use the above mentioned media, prior written approval needs to be obtained from Information Technology Division Head. Although the difficulty or ease of an installation process may vary dramatically, the Information Technology staff is responsible for all installations. All information system hardware faults are to be reported promptly and recorded in a hardware fault register. Deliberate or accidental damage to Bank, property must be reported to the nominated information technology personnel as soon as it is noticed. All hardware procurement must comply with the Procurement Policy of the Bank. Adequate insurance coverage should be provided under the banks insurance policies so that costs of loss and/or damage the hardware assets related IT are minimized. Hardware documentation must be kept up-to-date and readily available to the staffs who are authorized to support or maintain systems. A formal Hardware Inventory of all equipment is to be maintained and kept up to date at all times. Only authorized personnel are permitted to tape equipment belonging to the organization off the premises; they are responsible for its security at all times. Equipment owned by the Bank may only be disposed of by authorized personnel who have ensured that the relevant security risks have been mitigated. Security Issues to be considered include the following: 1. Legacy data from old systems can s till remain accessible and thus compromise the confidentiality of information. 2. Equipment used periodically but infrequently maybe disposed of accidentally. 3. During the legitimate disposal of unwanted equipment other items can be lost or stolen. All equipment owned, leased or licensed by the Bank must be supported by appropriate maintenance facilities from qualified engineers.

13. System Development and Testing: All in-house development and testing needs to be clone according to the flowing procedure: Project initiation A letter prepared by the user and duly signed by his division head / branch manager should be addressed to the department head of IT Division for commencing any in house software development project. The letter should be supplemented with: Domain Overview This should describe the procedures of the manual operations to be automated and purpose of the activity. Feature List This should define the features and functionalities to be accommodated in the software. Possible Inputs It should give the input parameters and their data types curd any constraint, regarding, input. Expected output Reports and other output formats should be specified here. Related references (if any) At this stage Head of IT would designate a person to review the user requirements and decide about the feasibility of the project. Development Tools Selection Once the project is found to be feasible project development tools are decided. Team Assignment Head of IT then assign a team with members having knowledge on the tools. A team leader is also selected preferably the one who had done the initial feasibility survey and analysis of the project. If the project team consists of more than one person then the team members can be assigned with specific jobs like database developer. GUI builder and business logic developers and testers. It is suggested that if the project is not too small then the team should consist of at least two persons. The tester should not be a member of the development team but separate entity. Any member of the development team can perform more than two roles at the same time except tester. A typical example for clarification is that Mr. X can be GUI Builder as well as Business logic developer for the same project but cannot be tester for that particular project. Preliminary Analysis The Project Head then call for a meeting with the relevant people (users) and if necessary department heads of the department(s) concern to discuss about the detail requirement for the project. After the meeting the Project Head with the help of the project tea, would prepare a requirement analysis report. This document should include: Project Overview This should elaborate about the concept of the project in detail. Functionality List It should describe the functions, procedures and business logic of the project. Sample Reports If possible all reports format should be given. Sample Screen Shots Applicable for large projects but not mandatory if time constraint is high. Development Tools Should elaborate the DBMS, Report Designer and other tools to be used in the project. Deployment Environment Would provide the Hardware, Software and Network requirement for deploying the project. Risk- Factors and constraints This hoist should elaborate about the weak points, dependencies and other causes that can hamper or stop the development of the project. Project Head would then sit with the requirement analysis report with the users, discuss it with the users, modify it if necessary after users' feedback and get it signed by the user and his department head. Project Plan Preparation Once this is done the PL would arrange another meeting with his team and prepare a project plan and schedule with specific time frame. The plans and schedule should be approved by the IT Head. The project plan should have: i) System Analysis phase ii) System Development phase iii) Coding, Phase iv) Integration and testing phase The entire project should be broken down into smaller modules (may be defined as jobs) and the schedule for each jobs should be detailed with the name of the designated person for accomplishing the job. System Design Documentation This document would be used only for internal purpose of IT Division. Since ours is not a Software development firm this documentation should not force any rule and not mandatory. Depending on the time constraint the contents of the documents should be fixed. This documentation may include: Use Case Diagram Class Diagram Database Schema DFD ERD Data Dictionary

Coding Software code and documents should be kept in a dedicated repository machine using Source Safe or CVS and a common directory structure should be maintained in the following manner: Project Name Docs (all documents related to project) Design (all design does i.e. er, dfd, class, use case, architectural) Development (all source code) Database (db-script and data-script) Misc (other documents i.e. third party tools etc.)Proprietary heading should be written in top of all the source pages. A sample is given below: Name of the File : [File Name with extension] Author : [Name of the programmer] Created On : [Data & Time] Change History Modified By : [Name of the Programmer] Modified On : [Date & Time] Modification Purpose Version No. : [Version No.] Purpose of the Module Copyright : ONE Bank Limited All rights Reserved. Warning: This computer program is protected by copyright law and should be treated as confidential information. Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and bill be prosecuted to the maximum extent possible under the law. Proper inline documentation of the coding should be done and is the responsibility of the programmer. If any modification is done in the code it should be reasonably detailed. Testing There should be three steps testing of the deliverable. These are: Unit Test This test is done by the developer and should be completed before Integration test and UAT. Integration Test Designated tester would be responsible for this job. He should prepare a bug list and forward it to the Project Head. Project Head then assign someone among developers to fix the bug. After the bug is fixed it is re tested by the tester. If the tester is satisfied he should inform it to the Project Head. A sample Bug list is given below:

Sl.No.Description ScenarioReport Date Severity(1-5)Bug FixerStatusFixDate

UAT

UAT should be done by the user with the assistance of developers. Once he is satisfied he should recommend his department head for signing off the project.

Data Migration IT Department would be responsible for creating script of data conversion, but users must provide correct data so that it can be flawlessly accommodated in the new database. Backup Policy Source code of the project should be updated oil a weekly basis into the repository and other documents a monthly basis. DeploymentOnce the UAT is over a copy of the software (only executables) is installed in the production machine after all required environmental setup. Managing the environment (hardware and third party software) is users' responsibility and configuring the hardware installing the third party software (OS, DBMS etc) and the developed software is the responsibility of IT Di vision. A document detailing environment prerequisites for installation should specified and to be provided to the user.

Security Measures i) A dedicated machine should be used as the software code and documentation repository. ii) Visual Source Safe (VSS) or CVS should be used to control the development of the project. iii) VSS domain users should be created. Developer should be authorized only with read and write permission. iv) After project deployment write permission should be withdrawn for developers. v) No copy of the software can be made except for the purpose of development. vi) After development of the software all copies except the backup kept in the repository and the production copy should be deleted from repository. vii) There should be a single exit point for copying the software. viii) All coding and documentation should have one printed copy (hard copy) and must be kept under direct supervision of Head of IT Division.

14. Internet Banking: Through Internet Banking our customer will have access to the environment of our Core BankingSystem, therefore, the System Administrator will put in place appropriate controls to protest network and systems from unauthorized access, fraudulent activity, contract dispute and unapproved disclosure/modification of information / instruction passing over public networks. The controlling measures will cover the following:

Network and Database Administrator of Information Technology Division will be responsible for the security of Bank's Internet Banking Application Software. Information Technology Division will introduce logical access controls to data, systems, application software, database, utilities, telecommunication lines, etc. Logical access control techniques should include user-ids, passwords, biometrics technologies or other industry standards. Network and Database administrator will ensure real time security log to identify/prevent unauthorized access.

Network administrator will introduce technology security protocols for Internet Banking Solutions like PKI (Public Key Infrastructure), SSL (Secured Socket Layer), 2-FA (Two Factor Authentication), RSA, VASCO etc. as applicable and feasible

Network administrator will responsible to acquire tools for monitoring systems and the networks against intrusions and attacks with due approval Information security officer, system auditor or any other official entrusted with similar responsibility will carry out following periodic tests ongoing basis at a frequency approved by Head of Information Technology Division. a) Attempting to guess passwords using password-cracking tools.b) Searching for back door traps in the programs.c) Attempting to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.d) Checking of commonly known holes in the software, especially the browser and the email software.e) Checking the weaknesses of the infrastructure and taking control of ports. Information Technology Division will keep proper record of all applications software for legal purposes.

Information Technology Division will ensure security infrastructure before using the systems and applications for normal operations. The Division will also upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions to ensure better security and control time to time.

15. Service Provider Management:

IT Divisions should perform appropriate due diligence before selecting or contracting with a service provider in respect of security breach, confidentiality, legal terms and conditions, business risk assessment, etc. Country risk and choice of governing law will have to be considered in addition to the above while contracting with Foreign Service Provider.

Third party service provider must be aware of and comply with this security standard. A service level agreement must be completed and executed prior to the commencement of the work.

16. Training:

Each employee should be aware of this Information Security Guideline. Formal training on Information Security will have to be given to all staff Periodic training for the IT security staff is to be prioritized to educate and train in the latest threats and Information Security techniques. All new staff is to receive mandatory Information Security awareness training as part of induction.

17. Internal IT Audit: Internal Audit should have sufficient IT resources capable of conducting IT Audit. IT Audit should be conduct at least annually to ensure compliance of this policy. The report must be preserved for future reference. 18. Disciplinary Actions: Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consul t ant s; or dismissal for in terns and volunteers. Additionally, individuals are subject to loss of ONE Bank Information Resources access privileges, civil, and criminal prosecution.

19. Green Banking We, at ONE Bank, are responsible corporate citizens. We believe that every small 'GREEN' step taken today would go a long way in building a greener future and that each one of us can work towards a better global environment.Environmental concern is at the centre of the Green Banking strategy. An increasing number of banks are strengthening green banking activities by launching environment friendly initiatives and providing innovative green products.As an environmentally responsible Bank, some of our Green Banking Initiatives are as follows: Initiating In-house Environment Management Training & Environment friendly activities for employees to make them environmentally concerned. Adherence to Environmental Risk Management guidelines. Introduction of green banking products & services. Financing green projects. Building awareness & providing support to customers to be more environmentally responsible. Supporting the environment friendly initiatives as a part of CSR activities. Forming alliance with NGOs or other environment focused organizations for our green banking activities.

Benefits of Emerging Technology:The emerging Information and Communication Technologies (ICT) and E-business can add value through knowledge management as it helps to attain new services to the customers. Successful e-business depends on sharing of strategic knowledge for which dissemination of the information and free flow of knowledge around the globe is required. On line banking can provide twenty four hours banking facilities. Through electronic data interchange customers are able to draw money from one branch to another. Letter of credits can be sent through SWIFT or electronic fund transfer from one country to another can be feasible. Actually on line banking provides faster, reliable services. Encryption and decryption can be used to send money from one place to another. As such on line bank management handles customers in a far better way.Benefits of Nation:Increased productivity:Rapid mobilization of funds through emerging Information and Communication Technologies, and e- banking can ensure increased productivity of economy and proper use of the resources.Contribution to GDP:Banks with a national economy, work towards building national capital, increasing national savings and mobilizing investments in trade and industry.Infrastructure Development: Bank providing Technical services and e-baking services are developing themselves in infrastructure thus government face comparatively less burden for infrastructure development.Facilitating international trade: Banks providing immense banking facility for international trading especially in readymade garments sector, frozen shrimp, jute pharmaceuticals sector.Job creation: Unemployment is a great threat to development ,IT development in banking creating new types of job like system analyst, data control manager etc.Industrial Development: Due to rapid mobilization of savings and facilitating export and import e-banking is contributing to the faster contribution to Bangladesh.Benefits of BanksProfit Maximization: E- banking leads to lower cost for the banks also ensures better profit from innovative products in this section thus helps banks to maximize the profit of the owners.Expand beyond geographic reach: ICT and e baking enabling the banks to expand their services beyond the geographic reach thus becoming internationally competitive.Rapid growth: Banks providing innovative and fast e- banking service will experience rapid growth in this industry, will increase its customer base and become a brand name in banking industry.Cut down cost: Information System and E- banking services causes low cost of providing services than manual. It also reduces maintenance cost to bankersBenefits to customers:Time savings: The main benefit from the bank customers point of view was significant saving of time by the automation of banking services processing and introduction of an easy maintenance tools for managing customers money. The main benefits of e-banking were as follows:Continuous access to account information: customers can access to their account information any time 24 hours a day, 7 days in a week.Dont require physical interaction: in case of transaction customers dont require to present physically thus fell convenient to transact.Better cash management: Much better cash management can insure through new ICT e- banking as cash can be easily available.Reduced costs: This was in terms of the cost of availing and using the various banking products and services.Convenience: All the banking transactions performed from the comfort of the home or office or from the place a customer wants to.Speed: The response of the medium was very fast; therefore customers actually waited till the last minute before concluding a fund transfer.Reduced risk: As cash can be transacted without physical appearance can move with the help of credit card, smart card it is less risky.In Bangladesh most of the business organizations are running centralized manner. As such visions, missions, goals of the top management of various organizations are very important. Top management should change their mindset and like Bangladesh Bank, they should encourage e-business process. Top management views are reflected to the mid level management and lower level management. Unfortunately most e-business efforts fail for non-performing visions, missions, goals and tactics at the business processes of the organization.

Conclusion:This study aims to develop a framework for best practice in ICT projects for knowledge sharing in development. It begins with a discussion of the role of ICTs in development and a review of literature about connecting the first mile. It suggests that findings are polarized around key debates: Top down versus participatory solutions to development problems Global versus local solutions Technological versus social solutions Optimism versus pessimism about the role of ICTs in development The study situates Practical Actions perspective in the context of those debates and identifies the success factors highlighted in the literature. These can be divided into three dimensions: the environment, the project level and the first mile. For each of the success factors, the framework outlines activities that constitute best practice.The security of a system is the extent of protection against some unwanted occurrence such as the invasion of privacy, theft and the corruption of information or physical damage. At this system is developed through the internet there is a big chance of hacking through our system. Current browsers counter security threats with a network communication protocol called secured sockets layer (SSL). SSL is a set of rules that tells computers the step to take to improve the security level of the communication.Significant factors to address at the environmental level are the policy environment, infrastructure limitations, building a good relationship with donors and communicating project progress. At the project level, success factors are identified as: starting from communities development priorities; planning projects effectively; learning from monitoring and evaluation; forging strong partnerships; developing a sustainable business model and building capacity among all partners to deliver. The study concludes suggestions for further research which include testing the framework against a sample of case studies and offers reflections on the application of the framework in the context of research into ICTs for development.The Common Problems Dealt by One Bank Limited with ICT: Incompatible software - update the system or consult IT help! Mistyping the text - this is in two types: (Transcription - using the wrong letter, e.g. typing gat instead of hat; or transposition, which is flipping two letters around e.g. typing aht instead of hat)

Not understanding how to use it/inexperience Upto the mark training programs for related personnel. Prepare Shift Schedule- One Bank has a well established schedule in place. Software crash - use backups and a variety of storage devices i.e. memory stick, CD ROM Health problems (e.g. shoulder strain, RSI, eyes hurting) One Bank allows greater flexibility and to take regular breaks every few hours When it comes to entering data into a table or a spreasheet or something, information often gets missed out or typed incorrectly, One Bank combat this using a variety of validations e.g. lookups, type checks, input masks etc.Numerous problems have been identified from the field survey on line banking system in Bangladesh. Some of them are in the followings: Limited number of branches Lack of proper Strategic plan to gain and retain market share. Lack of international standard communication channel. High cost of establishing online banking system. Inadequate back and front office management. Lack of integrated plan among the banks and the Central Bank authority. Inefficient Clearing House Facilities. Inappropriate software and less trust by the Bank authorities on local software. Biasness of the management of bank towards foreign software. Unavailability of locally produced software Legal barriers and appropriate policy framework.

The number of customers taking banking services does not capable to bear the cost of additional equipments like computer, computer accessories , Internet etc. from their own organization or at home. Biometrics should be more strengthened. Using Internet facility still very costly and people has little knowledge in operating computers. A few numbers of cyber caf is available but for banking purpose customers do not feel safe to use these facilities. As a result total numbers of customers who are habituated in on line banking systems are limited. Nevertheless, investment for establishing e -banking facilities still seems profitable.