sample - All Articles - CISO Platform2024-03-29T11:27:11Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/sampleCybersecurity Policy for the Banks|RBI Cyber Security Framework – Key Takeawayshttps://www.cisoplatform.com/profiles/blogs/rbi-cyber-security-framework-key-takeaways2016-07-26T18:30:00.000Z2016-07-26T18:30:00.000ZAmit, CISO Platformhttps://www.cisoplatform.com/members/AmitCISOPlatform<div><p align="center" style="text-align:left;"><span class="font-size-3">In its June 2, 2016 notification, RBI has issued new <a href="https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0" target="_blank">cybersecurity guidelines</a>, which says that scheduled commercial banks (private, foreign and nationalized banks listed in the schedule of RBI Act, 1934) must proactively create or modify their policies, procedures and technologies based on new security developments and concerns. As per RBI, use of information technology and their constituents has grown rapidly and is now an integral part of banks' operational strategies; hence the need for a board-approved cyber-security policy.</span></p><p style="text-align:left;"><span class="font-size-3"> </span></p><p style="text-align:left;"><span class="font-size-3">As per the guidelines, Banks should immediately put a cyber security policy, separate from their IT policy, and get it approved by board. Banks need to send a confirmation to RBI, at the earliest, and in any case not later than September 30, 2016. <a href="#_msocom_1"></a></span></p><p style="text-align:left;"><span class="font-size-3"><span id="docs-internal-guid-3db729e7-286f-8a8a-da60-7d802409afeb">(</span> <b><span><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/incident-response-how-to-respond-to-security-breach-first-24-hour">Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist)</a> </span></span></b><span>)</span></span></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p style="text-align:left;"><span class="font-size-5"><b>8 Key Takeaways From RBI Cyber Security Guidelines<br /> <br /></b></span></p><p style="text-align:left;"><span class="font-size-3">Within this notification, RBI asks banks to immediately put in place a cybersecurity policy duly approved by their board, containing an appropriate approach to combat cyber threats. Some of the key takeaways from the report are as following:<br /> <br /></span></p><ul style="text-align:left;"><li><span class="font-size-3"><b>Cybersecurity policy to be distinct from the broader IT policy/IS security policy</b> of a bank<br /> <br /></span></li><li><span class="font-size-3">Need of a <b>board approved cyber security policy</b>, which needs to be confirmed to RBI by September 30, 2016<br /> <br /></span></li><li><span class="font-size-3">SOC (Security Operations Centre) needs to be in place at the earliest (if not already in place) and <b>arrangements need to be made for continuous surveillance<br /> <br /></b></span></li><li><span class="font-size-3">A <b>Cyber Crisis Management Plan (CCMP)</b> should be immediately evolved and should be a part of the overall Board approved strategy<br /> <br /></span></li><li><span class="font-size-3"><b>Cyber security preparedness indicators</b> to assess the level of risk/preparedness<br /> <br /></span></li><li><span class="font-size-3">Sharing of information on cyber-security incidents with RBI<br /></span></li></ul><ul style="text-align:left;"><li><span class="font-size-3"><b>Supervisory Reporting framework</b> to collect both summary level information as well as details on information security incidents including cyber-incidents (is a template provided, if yes mention it)<br /> <br /></span></li><li><span class="font-size-3"><b>Cyber-security awareness among stakeholders / Top Management / Board</b></span></li></ul><p style="text-align:left;"><span class="font-size-3"> </span></p><p style="text-align:left;"><span class="font-size-3">This notification has got attentions of CISOs across banking sector as well as others. In response to this notification, some security practitioners say that taking boards’ cognizance while drafting security policy is going to be a challenging task. Because board members may not be very inclined to know about the security and technical information, therefore translating security information in business terms will be a challenging task. – plz check</span></p><p style="text-align:left;"><span class="font-size-3">RBI has listed 24 requirements which should be put in place by banks to achieve baseline cyber security and resilience requirements. They are mentioned below:</span></p><p style="text-align:left;"><span class="font-size-3"><span id="docs-internal-guid-3db729e7-2870-8587-774b-da8b510c1105">(</span> <b><span><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/9-top-features-to-look-for-in-next-generation-firewall">9 Top Features To Look For In Next Generation Firewall (NGFW)</a> </span></span></b><span>)</span></span></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p style="text-align:left;"><span class="font-size-3"><b><span class="font-size-5">Baseline Controls</span><br /> <br /></b></span></p><ol><li><span class="font-size-3">Inventory Management of Business IT Assets</span></li><li><span class="font-size-3">Preventing execution of unauthorized software<br /> <br /></span></li><li><span class="font-size-3">Environmental Controls - for securing location of critical assets providing protection from natural and man-made threats, and mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.<br /> <br /></span></li><li><span class="font-size-3">Network Management and Security</span></li><li><span class="font-size-3">Secure Configuration<br /> <br /></span></li><li><span class="font-size-3">Application Security Life Cycle (ASLC)<br /> <br /></span></li><li><span class="font-size-3">Patch/Vulnerability & Change Management<br /> <br /></span></li><li><span class="font-size-3">User Access Control / Management<br /> <br /></span></li><li><span class="font-size-3">Authentication Framework for Customers<br /> <br /></span></li><li><span class="font-size-3">Secure mail and messaging systems<br /> <br /></span></li><li><span class="font-size-3">Vendor Risk Management<br /> <br /></span></li><li><span class="font-size-3">Removable Media<br /> <br /></span></li><li><span class="font-size-3">Advanced Real-time Threat Defence and Management<br /> <br /></span></li><li><span class="font-size-3">Anti-Phishing<br /> <br /></span></li><li><span class="font-size-3">Data Leak prevention strategy<br /> <br /></span></li><li><span class="font-size-3">Maintenance, Monitoring, and Analysis of Audit Logs<br /> <br /></span></li><li><span class="font-size-3">Audit Log settings<br /> <br /></span></li><li><span class="font-size-3">Vulnerability assessment and Penetration Test and Red Team Exercises<br /> <br /></span></li><li><span class="font-size-3">Incident Response & Management<br /> <br /></span></li><li><span class="font-size-3">Risk based transaction monitoring<br /> <br /></span></li><li><span class="font-size-3">Metrics<br /> <br /></span></li><li><span class="font-size-3">Forensics<br /> <br /></span></li><li><span class="font-size-3">User / Employee/ Management Awareness<br /> <br /></span></li><li><span class="font-size-3">Customer Education and Awareness</span></li></ol><p></p><p style="text-align:left;"><span class="font-size-3">As per the framework, Banks should set up and operationalize cyber security operation center (C-SOC). Because threats are changing rapidly, and reactive methodology which can deal with known threats, will not work here. So, banks should adopt for proactive methodology to deal with the unknown threats.</span></p><p style="text-align:left;"><span class="font-size-3">To help banks strengthen their cybersecurity initiatives, and cyber security preparedness RBI has also set up its new IT subsidiary, appointing a new CEO Nandkumar Sarvade, retired IPS officer and an expert in bank fraud and terrorism cases.</span></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p style="text-align:left;"><span class="font-size-3">Want To Join Top Banks and Implement The Mandatory RBI Cyber Security Framework? <a href="http://event.cisoplatform.com/reserve-bank-of-india-security-guidelines/" target="_blank">Click Here</a> To Show Interest</span></p><p style="text-align:left;"></p><p style="text-align:left;"><span class="font-size-3"><a href="http://event.cisoplatform.com/reserve-bank-of-india-security-guidelines/" target="_blank"><img width="676" src="{{#staticFileLink}}8669813283,original{{/staticFileLink}}" class="align-center" alt="8669813283?profile=original" /></a></span></p><div><div><div><p style="text-align:left;"></p></div></div></div><p><br /> <br /> <br /> <br /> <a href="http://goo.gl/uhuF4Q"><br /></a></p></div>