RBI & SEBI has recently notified the Banks and Stock Brokers/Depository Participants and published a cyber security framework to be deployed. Here is a consolidated learning compiled by us and you can also access the detailed frameworks from here
Top Learning From RBI Cyber Security Framework For Banks
- Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank
- Arrangement for continuous surveillance
- IT architecture should be conducive to security
- Comprehensively address network and database security
- Ensuring Protection of customer information
- Cyber Crisis Management Plan
- Cyber security preparedness indicators
- Sharing of information on cyber-security incidents with RBI
- Supervisory Reporting framework
- An immediate assessment of gaps in preparedness to be reported to RBI
- Organisational arrangements
- Cyber-security awareness among stakeholders / Top Management / Board
Baseline Cyber Security and Resilience Requirements
Baseline Controls
- Inventory Management of Business IT Assets
- Preventing execution of unauthorised software
- Environmental Controls
- Network Management and Security
- Secure Configuration
- Application Security Life Cycle (ASLC)
- Patch/Vulnerability & Change Management
- User Access Control / Management
- Authentication Framework for Customers
- Secure mail and messaging systems
- Vendor Risk Management
- Removable Media
- Advanced Real-time Threat Defence and Management
- Anti-Phishing
- Data Leak prevention strategy
- Maintenance, Monitoring, and Analysis of Audit Logs
- Audit Log settings
- Vulnerability assessment and Penetration Test and Red Team Exercises
- Incident Response & Management
- Risk based transaction monitoring
- Metrics
- Forensics
- User / Employee/ Management Awareness
- Customer Education and Awareness
Setting up and Operationalising Cyber Security Operation Centre (C-SOC)
Key Responsibilities of SOC could include:
- Monitor, analyze and escalate security incidents
- Develop Response - protect, detect, respond, recover
- Conduct Incident Management and Forensic Analysis
- Co-ordination with contact groups within the bank/external agencies
Detailed information on points that need to be considered, expectations and key requirements are mentioned. It is very illustrative cover here, kindly access the framework for this. Further details on people, process, external integrations are also mentioned.
Top Learning From RBI Cyber Security Framework For Primary (Urban) Cooperative Banks (UCBs)
- Need for a Board approved Cyber Security Policy
- Cyber Security Policy to be distinct from the IT policy/IS Policy of the UCB
- IT Architecture/Framework should be security compliant
- Cyber Crisis Management Plan
- Organisational Arrangements
- Cyber Security awareness among Top Management/Board/other concerned parties
- Ensuring protection of customer information
- Supervisory reporting framework
Top Learning From SEBI Cyber Security & Cyber Resilience Framework For Stock Brokers / Depository Participants
- Governance
- Identification
- Protection
- Access Control
- Physical Security
- Network Security Management
- Data Security
- Hardening of Hardware and Software
- Application Security in Customer Facing Applications
- Certification of off the shelf products
- Patch management
- Disposal of data, systems and storage devices
- Vulnerability Assessment and Penetration Testing (VAPT)
- Monitoring and Detection
- Response and Recovery
- Sharing of Information
- Training and Education
- Systems managed by vendors
- Systems managed by MIIs
- Periodic Audit
The above pointers are just a gist of the overview, the details involve looking into infrastructure and setting up processes. We suggest you read the detailed frameworks and consult a security analyst. Here's a free 30 Minutes analyst consultation to ensure your security readiness for RBI & SEBI
>> Check Your RBI & SEBI Readiness (Free Analyst Consultation)
.png)
Comments