On November 7, 2023, Reserve Bank of India has made a major announcement related to Information Security Governance applicable to all Regulated entities (RE) . These guidelines will henceforth be considered as “Reasonable Security Practice” requirements and “Due Diligence” for all the entities covered under the notification for the purpose of ITA 2000 as well as DPDPA 2023.
This “Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices” will replace all earlier guidelines issued since 2002 including the GGWG guidelines of April 29, 2011 and the Cyber Security Framework of 2017.
The directions titled Reserve Bank of India (Information Security Governance, Risk, Controls and Assurance Practices) Directions 2023, will be effective from 1st April 2024.
These directions will be applicable to all Banking Companies, Corresponding New Banks, SBI, NBFCs, Credit Information Companies, Exim Bank, NABARD, National Bank for Financing Infrastructure and Development, NHB and SIDBI,
The directions are not applicable to Local Area Banks, NBFC Core Investment Companies.
The guidelines consist of the following 7 chapters.
Chapter I: Preliminary
Chapter II: IT Governance
Chapter III: IT Infrastructure & Services Management
Chapter IV: IT and Information Security Risk Management
Chapter V: Business Continuity Plan (BCP) and Disaster Recovery Management
Chapter VI: Information Systems (IS) Audit
Chapter VII: Repeal and Other provisions
The IT Governance Framework under Chapter II indicates five key focus areas namely
a) Strategic alignment
b) Risk Management
c) Resource Management
d) Performance Management and
e) Business Continuity/Disaster Recovery Management.
Under the guidelines, the REs shall put in place a robust, comprehensive and accountable framework of Governance specifying the responsibilities of the Board of Directors, Board level committee and Senior Management.
Under the guidelines, the REs shall appoint a sufficiently senior technically competent and experienced official in IT related aspects as head of IT function who will be responsible for
(i) Ensuring that the execution of IT projects/ initiatives is aligned with the RE’s IT Policy and IT Strategy;
(ii) Ensuring that there is an effective organisational structure to support IT functions in the RE; and
(iii) Putting in place an effective disaster recovery setup and business continuity strategy/ plan.
Under Chapter III on IT Infrastructure and Services Management, one of the guidelines indicated is that REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end of support date and AMC dates on an ongoing basis. This could mean that there would be an immediate refreshing of hardware and software facilities in all REs.
In third party arrangements for outsourcing, REs shall apply the RBI outsourcing directions 2023 and further put in place measures to assess and mitigate risks, including compliance of all applicable legal, regulatory requirements and standards to protect customer data.
While adopting new or emerging technologies, REs need to align the strategies with the risk appetite of the organization.
It is also specifically indicated that REs shall obtain the source codes of all critical applications from the vendors and put in place a source code escrow arrangement. REs shall also obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur. Any new IT application proposed to be introduced as a business product shall be subjected to product approval and quality assurance process.
The REs shall put in place a system for collecting and monitoring audit trails of all critical applications.
The guidelines suggest use of cryptographic controls which are internationally accepted and not deprecated and adopt a straight through processing when data is transferred from one process to another.
The access control is expected to be on a need basis and personnel with elevated access shall be based on multifactor authentication and closely supervised.
Chapter IV covers the IT and Information Security Risk Management. The guidelines require an appropriate policy that shall be reviewed at least once a year and a Cybersecurity Policy and Crisis Management Plan (CCMP) .
A senior level executive (preferably General manager level) shall be designated as the CISO who shall not have direct reporting relationship with the head of IT functions and shall not be given any business targets.
The guidelines recognize the need to report incidents to CERT-IN but no mention has been made on Data Protection Board under DPDPA 2023. This indicates that these guidelines have been developed before DPDPA 2023 was passed and hence DPDPA 2023 compliance need to be built over this Information Security guidelines.
Under Chapter V, the BCP and DR policy requirements are indicated and shall include the interconnected systems of vendors and partners. It is expected that REs shall achieve minimal RTO (Recovery Time Objective) as approved by the IT Security Committee and near zero RPO (Recovery Point Objective) for critical information systems.
Information Systems (IS) audit under Chapter VI indicate that there shall be an IS audit policy along with a governance mechanism.
An annexure along with Chapter VII ensures that multiple regulations of the earlier years are promptly repealed so that this guideline will become an unambiguous guideline applicable from 1st April 2024.
Information and Data Security professionals need to take note of this guideline not only for sectoral regulations but also as a general guideline on industry practices.