NABARD Rural Regional

National Bank for Agriculture and Rural Development (NABARD) is an apex development financial institution of the country, outlined to address the of an organizational device for resolving credit related issues linked with rural development. As per the Ref. NO. NB. DoS. Pol. HO./3184 / J- 1/2019-20, NABARD put forth a Comprehensive Cyber Security Framework for Regional Rural Banks (RRBs) - A Graded Approach for time bound implementation. Identification and assessment of the inherent risk helps the RRBs reduce the vulnerability of the technologies adopted, delivery channels, digital products being offered, internal and external threats etc.

As per the framework, RRBs have been categorized into four levels based on their digital depth and interconnectedness to the payment systems landscape. levels are defined as below:

Level 1:

Criteria- All RRBs

Regulatory Prescription - Level I controls prescribed in Annexure-I
In addition to the controls, the banks may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) tool Annexure-I A

Level 2:

Criteria- All RRBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:

  • Offers internet banking facility to its customers (either view or transaction based)

  • Provides Mobile Banking facility through application (Smart phone usage)

  • Is a direct Member of CTS/IMPS/UPI

Regulatory Prescription - Level II controls given in Annexure-II, in addition to Level I controls.

Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.

Level 3:

Criteria- RRBs having at least one of the criteria given below:

  • Direct members of CPS

  • Having their own ATM Switch

  • Having SWIFT interface

Regulatory Prescription - Level III controls given in Annexure-III, in addition to Level I and II controls.

Additional controls include Advanced Real-time Threat Defense and Management, Risk based transaction monitoring.

Level 4:

Criteria - RRBs which are members/sub-members of CPS and satisfy at least one of the criteria given below:

  • Having their own ATM Switch and having SWIFT interface

  • Hosting data center or providing software support to other banks on their own or through their wholly owned subsidiaries    
     

Regulatory Prescription - Level IV controls given in Annexure-IV, in addition to Level I, II and III controls. Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.

The Board of Directors is ultimately responsible for the information security of the bank.

RRBs shall undertake a self-assessment of the level in which they fit into based on the criteria given in the table.

All RRBs shall comply with the control requirements prescribed in Annexure-I within three months from the date of issuance of this circular. Similarly, Level II, III and IV RRBs are required to implement additional controls prescribed in Annexures-II, III and IV respectively.


The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.
Annexure-1

Baseline Cyber Security and Resilience Requirements - Level   

  • Inventory Management of Business IT Assets

  • Board approved Cyber Security Policy

    • Cyber Security policy should be distinct from the IT policy/IS Policy

    • IT Architecture/Framework should be security compliant

    • Cyber Crisis Management plan

    • Cyber Intrusions

  • Preventing access of unauthorized software

  • Environmental Controls

  • Network Management and Security

  • Secure Configuration

  • Antivirus and Patch Management

  • User Access Control/Management

  • Secure mail and messaging systems

  • Removable Media

  • User/ Employee / Management Awareness

  • Customer Education and Awareness

  • Backup and Restoration

  • Data Leak Prevention Strategy

  • Vendor/Outsourcing Risk Management

  • Supervisory Reporting Framework - Reporting of Cyber Incidents

  • Chief Information Security Officer (CISO)

  • IT Steering Committee

  • Information Security Committee

  • Audit Committee of Board (ACB)

  • RRBs may assess their preparedness on Level I controls on a periodic basis and use the Vulnerability Index for Cyber security Framework (VICS) tool as a guidance for the same.


Annexure-1A

The Vulnerability Index for Cyber Security Framework (VICS) covers four major areas, viz  

  • Baseline Cyber Security Framework (CSF),

  • Policy strength,

  • Vendor management and

  • Cyber Security Crisis Management Plan through 30 major topics.


Annexure-II

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I)

  • Network Management and Security

  • Secure Configuration

  • Application Security Lifecycle (ASLC)

  • Change Management

  • Periodic Testing

  • User Access Control/Management

  • Authentication Framework for Customers

  • Anti-Phishing

  • User/Employee/Management Awareness

  • Audit Logs

  • Incident Response and Management


Annexure-III

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I & II)     

  • Network Management and Security

  • Secure Configuration

  • Application Security Lifecycle (ASLC)

  • User Access Control

  • Advanced Real-time Threat Defense and Management

  • Maintenance, Monitoring and Analysis of Audit Logs

  • Incident Response and Management

  • Risk based transaction monitoring


Annexure-IV

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I, II & III)

  • Arrangement for continuous surveillance - Setting up Of Cyber Security Operation Centre (C-SOC)

    • Expectations from C-SOC

    • Steps for setting up C-SOC — Technological Aspects

  • Participation in Cyber Drills

  • Incident Response and Management

  • Forensics and Metrics

  • IT Strategy and Policy

  • IT and IS Governance Framework

    • Security Team/Function

    • IT Strategy Committee

    • IT Steering Committee

    • Chief Information Security Officer (CISO)

    • Information Security Committee


Audit Approach

Business Understanding

Evaluating business process and environment to understand the in-scope elements

Audit Scope Finalization

Detailed questionnaire is shared with your teams to aid in the scope definition, planning and preparation of the audit and objectives

Initial/Readiness Assessment

As per the NABARD guidelines for RRB, we will conduct an initial audit measuring the IT related risks to enhance the reliability of processes, critical system platforms, networks and physical components.

Risk Assessment

Identifying and analysing the risks in the information security posture.

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages

Remediation Support

As per the assessment QRC will provide remediation support for complying with the NABARD cybersecurity guidelines for each domain.

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance

Final Audit

Post remediation, we conduct a final audit and review your evidence as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.

Concise Reporting

Our team documents a comprehensive report detailing all findings covered during the assessment cycle.

benefits

Aligning your organization controls as per the NABARD RRB Cybersecurity Framework significantly reduces the impact in wake of a cybersecurity incident. Banks need to assess their cybersecurity preparedness under the active guidance of a CERT-IN empaneled auditor. The audit will significantly help in:

  • Establishing strong governance collaboration within industry advanced real-time capabilities

  • Identifying gaps w.r.t. Cyber Security/Resilience Framework and closing it effectively

  • Assessing your IT infrastructure will help to identify precisely what sensitive information you hold, providing the scope to organize storages and refine data management processes.

  • Update the measurement criteria for assessing effectiveness of controls including the risk assessment and risk management methodology followed by the bank

  • Improve customer trust and build cyber resilience

“As a CERT-IN empanelled body, QRC will help you understand, manage and comply with IRDA’s Cyber Security requirements as published in the IRDA’s Guidelines on Insurance E-Commerce on a periodic basis.”

Related Updates




LinkedIn Facebook Twitter Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.

X