In its June 2, 2016 notification, RBI has issued new cybersecurity guidelines, which says that scheduled commercial banks (private, foreign and nationalized banks listed in the schedule of RBI Act, 1934) must proactively create or modify their policies, procedures and technologies based on new security developments and concerns. As per RBI, use of information technology and their constituents has grown rapidly and is now an integral part of banks' operational strategies; hence the need for a board-approved cyber-security policy.


As per the guidelines, Banks should immediately put a cyber security policy, separate from their IT policy, and get it approved by board. Banks need to send a confirmation to RBI, at the earliest, and in any case not later than September 30, 2016.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

8 Key Takeaways From RBI Cyber Security Guidelines

Within this notification, RBI asks banks to immediately put in place a cybersecurity policy duly approved by their board, containing an appropriate approach to combat cyber threats. Some of the key takeaways from the report are as following:

  • Cybersecurity policy to be distinct from the broader IT policy/IS security policy of a bank

  • Need of a board approved cyber security policy, which needs to be confirmed to RBI by September 30, 2016

  • SOC (Security Operations Centre) needs to be in place at the earliest (if not already in place) and arrangements need to be made for continuous surveillance

  • A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy

  • Cyber security preparedness indicators to assess the level of risk/preparedness

  • Sharing of information on cyber-security incidents with RBI
  • Supervisory Reporting framework to collect both summary level information as well as details on information security incidents including cyber-incidents (is a template provided, if yes mention it)

  • Cyber-security awareness among stakeholders / Top Management / Board


This notification has got attentions of CISOs across banking sector as well as others. In response to this notification, some security practitioners say that taking boards’ cognizance while drafting security policy is going to be a challenging task. Because board members may not be very inclined to know about the security and technical  information, therefore translating security information in business terms will be a challenging task. – plz check

RBI has listed 24 requirements which should be put in place by banks to achieve baseline cyber security and resilience requirements. They are mentioned below:

( Read More: 9 Top Features To Look For In Next Generation Firewall (NGFW) )

Baseline Controls

  1. Inventory Management of Business IT Assets
  2. Preventing execution of unauthorized software

  3. Environmental Controls - for securing location of critical assets providing protection from natural and man-made threats, and mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.

  4. Network Management and Security
  5. Secure Configuration

  6. Application Security Life Cycle (ASLC)

  7. Patch/Vulnerability & Change Management

  8. User Access Control / Management

  9. Authentication Framework for Customers

  10. Secure mail and messaging systems

  11. Vendor Risk Management

  12. Removable Media

  13. Advanced Real-time Threat Defence and Management

  14. Anti-Phishing

  15. Data Leak prevention strategy

  16. Maintenance, Monitoring, and Analysis of Audit Logs

  17. Audit Log settings

  18. Vulnerability assessment and Penetration Test and Red Team Exercises

  19. Incident Response & Management

  20. Risk based transaction monitoring

  21. Metrics

  22. Forensics

  23. User / Employee/ Management Awareness

  24. Customer Education and Awareness

As per the framework, Banks should set up and operationalize cyber security operation center (C-SOC). Because threats are changing rapidly, and reactive methodology which can deal with known threats, will not work here. So, banks should adopt for proactive methodology to deal with the unknown threats.

To help banks strengthen their cybersecurity initiatives, and cyber security preparedness RBI has also set up its new IT subsidiary, appointing a new CEO Nandkumar Sarvade, retired IPS officer and an expert in bank fraud and terrorism cases.

Want To Join Top Banks and Implement The Mandatory RBI Cyber Security Framework? Click Here To Show Interest


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa