All Articles

In its June 2, 2016 notification, RBI has issued new cybersecurity guidelines, which says that scheduled commercial banks (private, foreign and nationalized banks listed in the schedule of RBI Act, 1934) must proactively create or modify their policies, procedures and technologies based on new security developments and concerns. As per RBI, use of information technology and their constituents has grown rapidly and is now an integral part of banks' operational strategies; hence the need for a board-approved cyber-security policy.

As per the guidelines, Banks should immediately put a cyber security policy, separate from their IT policy, and get it approved by board. Banks need to send a confirmation to RBI, at the earliest, and in any case not later than September 30, 2016.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

8 Key Takeaways From RBI Cyber Security Guidelines

Within this notification, RBI asks banks to immediately put in place a cybersecurity policy duly approved by their board, containing an appropriate approach to combat cyber threats. Some of the key takeaways from the report are as following:

• Cybersecurity policy to be distinct from the broader IT policy/IS security policy of a bank
  
  
• Need of a board approved cyber security policy, which needs to be confirmed to RBI by September 30, 2016
  
  
• SOC (Security Operations Centre) needs to be in place at the earliest (if not already in place) and arrangements need to be made for continuous surveillance
  
  
• A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy
  
  
• Cyber security preparedness indicators to assess the level of risk/preparedness
  
  
• Sharing of information on cyber-security incidents with RBI
  

• Supervisory Reporting framework to collect both summary level information as well as details on information security incidents including cyber-incidents (is a template provided, if yes mention it)
  
  
• Cyber-security awareness among stakeholders / Top Management / Board

This notification has got attentions of CISOs across banking sector as well as others. In response to this notification, some security practitioners say that taking boards’ cognizance while drafting security policy is going to be a challenging task. Because board members may not be very inclined to know about the security and technical  information, therefore translating security information in business terms will be a challenging task. – plz check

RBI has listed 24 requirements which should be put in place by banks to achieve baseline cyber security and resilience requirements. They are mentioned below:

( Read More: 9 Top Features To Look For In Next Generation Firewall (NGFW) )

Baseline Controls

1. Inventory Management of Business IT Assets
2. Preventing execution of unauthorized software
   
   
3. Environmental Controls - for securing location of critical assets providing protection from natural and man-made threats, and mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.
   
   
4. Network Management and Security
5. Secure Configuration
   
   
6. Application Security Life Cycle (ASLC)
   
   
7. Patch/Vulnerability & Change Management
   
   
8. User Access Control / Management
   
   
9. Authentication Framework for Customers
   
   
10. Secure mail and messaging systems
    
    
11. Vendor Risk Management
    
    
12. Removable Media
    
    
13. Advanced Real-time Threat Defence and Management
    
    
14. Anti-Phishing
    
    
15. Data Leak prevention strategy
    
    
16. Maintenance, Monitoring, and Analysis of Audit Logs
    
    
17. Audit Log settings
    
    
18. Vulnerability assessment and Penetration Test and Red Team Exercises
    
    
19. Incident Response & Management
    
    
20. Risk based transaction monitoring
    
    
21. Metrics
    
    
22. Forensics
    
    
23. User / Employee/ Management Awareness
    
    
24. Customer Education and Awareness

As per the framework, Banks should set up and operationalize cyber security operation center (C-SOC). Because threats are changing rapidly, and reactive methodology which can deal with known threats, will not work here. So, banks should adopt for proactive methodology to deal with the unknown threats.

To help banks strengthen their cybersecurity initiatives, and cyber security preparedness RBI has also set up its new IT subsidiary, appointing a new CEO Nandkumar Sarvade, retired IPS officer and an expert in bank fraud and terrorism cases.

Want To Join Top Banks and Implement The Mandatory RBI Cyber Security Framework? Click Here To Show Interest