In its June 2, 2016 notification, RBI has issued new cybersecurity guidelines, which says that scheduled commercial banks (private, foreign and nationalized banks listed in the schedule of RBI Act, 1934) must proactively create or modify their policies, procedures and technologies based on new security developments and concerns. As per RBI, use of information technology and their constituents has grown rapidly and is now an integral part of banks' operational strategies; hence the need for a board-approved cyber-security policy.
As per the guidelines, Banks should immediately put a cyber security policy, separate from their IT policy, and get it approved by board. Banks need to send a confirmation to RBI, at the earliest, and in any case not later than September 30, 2016.
8 Key Takeaways From RBI Cyber Security Guidelines
Within this notification, RBI asks banks to immediately put in place a cybersecurity policy duly approved by their board, containing an appropriate approach to combat cyber threats. Some of the key takeaways from the report are as following:
- Cybersecurity policy to be distinct from the broader IT policy/IS security policy of a bank
- Need of a board approved cyber security policy, which needs to be confirmed to RBI by September 30, 2016
- SOC (Security Operations Centre) needs to be in place at the earliest (if not already in place) and arrangements need to be made for continuous surveillance
- A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy
- Cyber security preparedness indicators to assess the level of risk/preparedness
- Sharing of information on cyber-security incidents with RBI
- Supervisory Reporting framework to collect both summary level information as well as details on information security incidents including cyber-incidents (is a template provided, if yes mention it)
- Cyber-security awareness among stakeholders / Top Management / Board
This notification has got attentions of CISOs across banking sector as well as others. In response to this notification, some security practitioners say that taking boards’ cognizance while drafting security policy is going to be a challenging task. Because board members may not be very inclined to know about the security and technical information, therefore translating security information in business terms will be a challenging task. – plz check
RBI has listed 24 requirements which should be put in place by banks to achieve baseline cyber security and resilience requirements. They are mentioned below:
- Inventory Management of Business IT Assets
- Preventing execution of unauthorized software
- Environmental Controls - for securing location of critical assets providing protection from natural and man-made threats, and mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.
- Network Management and Security
- Secure Configuration
- Application Security Life Cycle (ASLC)
- Patch/Vulnerability & Change Management
- User Access Control / Management
- Authentication Framework for Customers
- Secure mail and messaging systems
- Vendor Risk Management
- Removable Media
- Advanced Real-time Threat Defence and Management
- Data Leak prevention strategy
- Maintenance, Monitoring, and Analysis of Audit Logs
- Audit Log settings
- Vulnerability assessment and Penetration Test and Red Team Exercises
- Incident Response & Management
- Risk based transaction monitoring
- User / Employee/ Management Awareness
- Customer Education and Awareness
As per the framework, Banks should set up and operationalize cyber security operation center (C-SOC). Because threats are changing rapidly, and reactive methodology which can deal with known threats, will not work here. So, banks should adopt for proactive methodology to deal with the unknown threats.
To help banks strengthen their cybersecurity initiatives, and cyber security preparedness RBI has also set up its new IT subsidiary, appointing a new CEO Nandkumar Sarvade, retired IPS officer and an expert in bank fraud and terrorism cases.
Want To Join Top Banks and Implement The Mandatory RBI Cyber Security Framework? Click Here To Show Interest