Top Learning from RBI & SEBI Cyber Security Framework Circular

RBI & SEBI has recently notified the Banks and Stock Brokers/Depository Participants and published a cyber security framework to be deployed. Here is a consolidated learning compiled by us and you can also access the detailed frameworks from here

>> Access The RBI & SEBI Cyber Security Frameworks for Ba...

Top Learning From RBI Cyber Security Framework For Banks

Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank
Arrangement for continuous surveillance
IT architecture should be conducive to security
Comprehensively address network and database security
Ensuring Protection of customer information
Cyber Crisis Management Plan
Cyber security preparedness indicators
Sharing of information on cyber-security incidents with RBI
Supervisory Reporting framework
An immediate assessment of gaps in preparedness to be reported to RBI
Organisational arrangements
Cyber-security awareness among stakeholders / Top Management / Board

Baseline Cyber Security and Resilience Requirements

Baseline Controls

Inventory Management of Business IT Assets
Preventing execution of unauthorised software
Environmental Controls
Network Management and Security
Secure Configuration
Application Security Life Cycle (ASLC)
Patch/Vulnerability & Change Management
User Access Control / Management
Authentication Framework for Customers
Secure mail and messaging systems
Vendor Risk Management
Removable Media
Advanced Real-time Threat Defence and Management
Anti-Phishing
Data Leak prevention strategy
Maintenance, Monitoring, and Analysis of Audit Logs
Audit Log settings
Vulnerability assessment and Penetration Test and Red Team Exercises
Incident Response & Management
Risk based transaction monitoring
Metrics
Forensics
User / Employee/ Management Awareness
Customer Education and Awareness

Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Key Responsibilities of SOC could include:

Monitor, analyze and escalate security incidents
Develop Response - protect, detect, respond, recover
Conduct Incident Management and Forensic Analysis
Co-ordination with contact groups within the bank/external agencies

Detailed information on points that need to be considered, expectations and key requirements are mentioned. It is very illustrative cover here, kindly access the framework for this. Further details on people, process, external integrations are also mentioned.

>> Access The RBI & SEBI Cyber Security Frameworks for Ba...

Top Learning From RBI Cyber Security Framework For Primary (Urban) Cooperative Banks (UCBs)

Need for a Board approved Cyber Security Policy
- Cyber Security Policy to be distinct from the IT policy/IS Policy of the UCB
- IT Architecture/Framework should be security compliant
- Cyber Crisis Management Plan
Organisational Arrangements
Cyber Security awareness among Top Management/Board/other concerned parties
Ensuring protection of customer information
Supervisory reporting framework

Top Learning From SEBI Cyber Security & Cyber Resilience Framework For Stock Brokers / Depository Participants

Governance
Identification
Protection
- Access Control
- Physical Security
- Network Security Management
- Data Security
- Hardening of Hardware and Software
- Application Security in Customer Facing Applications
- Certification of off the shelf products
- Patch management
- Disposal of data, systems and storage devices
- Vulnerability Assessment and Penetration Testing (VAPT)
Monitoring and Detection
Response and Recovery
Sharing of Information
Training and Education
Systems managed by vendors
Systems managed by MIIs
Periodic Audit

The above pointers are just a gist of the overview, the details involve looking into infrastructure and setting up processes. We suggest you read the detailed frameworks and consult a security analyst. Here's a free 30 Minutes analyst consultation to ensure your security readiness for RBI & SEBI

>> Check Your RBI & SEBI Readiness (Free Analyst Consulta...