NABARD Cyber Security Framework for RRB

NABARD Cyber Security Framework for Regional Rural Banks

Service Overview

Applicable to All Regional Rural Banks

National Bank for Agriculture and Rural Development (NABARD) is an apex development financial institution of the country, outlined to address the of an organizational device for resolving credit related issues linked with rural development. As per the Ref. NO. NB. DoS. Pol. HO./3184 / J- 1/2019-20, NABARD put forth a Comprehensive Cyber Security Framework for Regional Rural Banks (RRBs) - A Graded Approach for time bound implementation. Identification and assessment of the inherent risk helps the RRBs reduce the vulnerability of the technologies adopted, delivery channels, digital products being offered, internal and external threats etc.

As per the framework, RRBs have been categorized into four levels based on their digital depth and interconnectedness to the payment systems landscape. levels are defined as below:

Level 1:
Criteria            - All RRBs
Regulatory Prescription - Level I controls prescribed in Annexure-I
In addition to the controls, the banks may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) toolAnnexure-I A

Level 2:
Criteria            - All RRBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:
 

  • Offers internet banking facility to its customers (either view or transaction based)
  • Provides Mobile Banking facility through application (Smart phone usage)
  • Is a direct Member of CTS/IMPS/UPI.         
     

Regulatory Prescription - Level II controls given in Annexure-II, in addition to Level I controls.

Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.

Level 3:

Criteria            - RRBs having at least one of the criteria given below:

  • Direct members of CPS
  • Having their own ATM Switch
  • Having SWIFT interface

Regulatory Prescription - Level III controls given in Annexure-III, in addition to Level I and II controls.

Additional controls include Advanced Real-time Threat Defense and Management, Risk based transaction monitoring.

Level 4:          
 

Criteria - RRBs which are members/sub-members of CPS and satisfy at least one of the criteria given below:
 

  • Having their own ATM Switch and having SWIFT interface
  • Hosting data center or providing software support to other banks on their own or through their wholly owned subsidiaries    
     

Regulatory Prescription - Level IV controls given in Annexure-IV, in addition to Level I, II and III controls. Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.

The Board of Directors is ultimately responsible for the information security of the bank.

RRBs shall undertake a self-assessment of the level in which they fit into based on the criteria given in the table.

All RRBs shall comply with the control requirements prescribed in Annexure-I within three months from the date of issuance of this circular. Similarly, Level II, III and IV RRBs are required to implement additional controls prescribed in Annexures-II, III and IV respectively.

The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.

Annexure-1

Baseline Cyber Security and Resilience Requirements - Level   

  • Inventory Management of Business IT Assets
  • Board approved Cyber Security Policy
    • Cyber Security policy should be distinct from the IT policy/IS Policy
    • IT Architecture/Framework should be security compliant
    • Cyber Crisis Management plan
    • Cyber Intrusions
  • Preventing access of unauthorized software
  • Environmental Controls
  • Network Management and Security
  • Secure Configuration
  • Antivirus and Patch Management
  • User Access Control/Management
  • Secure mail and messaging systems
  • Removable Media
  • User/ Employee / Management Awareness
  • Customer Education and Awareness
  • Backup and Restoration
  • Data Leak Prevention Strategy
  • Vendor/Outsourcing Risk Management
  • Supervisory Reporting Framework - Reporting of Cyber Incidents
  • Chief Information Security Officer (CISO)
  • IT Steering Committee
  • Information Security Committee
  • Audit Committee of Board (ACB)
  • RRBs may assess their preparedness on Level I controls on a periodic basis and use the Vulnerability Index for Cyber security Framework (VICS) tool as a guidance for the same.

Annexure-1A

The Vulnerability Index for Cyber Security Framework (VICS) covers four major areas, viz.   
 

  • Baseline Cyber Security Framework (CSF),
  • Policy strength,
  • Vendor management and
  • Cyber Security Crisis Management Plan through 30 major topics.

Annexure-II

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I)     

  • Network Management and Security
  • Secure Configuration
  • Application Security Lifecycle (ASLC)
  • Change Management
  • Periodic Testing
  • User Access Control/Management
  • Authentication Framework for Customers
  • Anti-Phishing
  • User/Employee/Management Awareness
  • Audit Logs
  • Incident Response and Management

Annexure-III

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I & II)     

  • Network Management and Security
  • Secure Configuration
  • Application Security Lifecycle (ASLC)
  • User Access Control
  • Advanced Real-time Threat Defense and Management
  • Maintenance, Monitoring and Analysis of Audit Logs
  • Incident Response and Management
  • Risk based transaction monitoring

Annexure-IV

Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I, II & III)     

  • Arrangement for continuous surveillance - Setting up Of Cyber Security Operation Centre (C-SOC)
    • Expectations from C-SOC
    • Steps for setting up C-SOC — Technological Aspects
  • Participation in Cyber Drills
  • Incident Response and Management
  • Forensics and Metrics
  • IT Strategy and Policy
  • IT and IS Governance Framework
    • Security Team/Function
    • IT Strategy Committee
    • IT Steering Committee
    • Chief Information Security Officer (CISO)
    • Information Security Committee

NABARD Cybersecurity Audit Approach And Process

Working alongside RBI & NABARD Guidelines, QRC assesses your organization with a wholesome approach, working to set up the cybersecurity infra controls. Our approach for assessment is as follows :

Cyber Security Framework Services

  • Information Security Governance Support
    • Information Security Strategy
    • Information Security Committee
    • Security Solutions Implementation
  • Information Security Policy Documentation Support
  • Business Assets and IT Assets Inventory Register Documentation Support
  • Secure configuration of the IT Assets.
  • Vulnerability Assessment and Penetration Testing
  • Information Security Risk Assessment
  • Cyber Security Implementation Support
  • Cyber Security Audit and Assurance services (Cert-In Empanelled) 

Aligning your organization controls as per the NABARD RRB Cybersecurity Framework significantly reduces the impact in wake of a cybersecurity incident. Banks need to assess their cybersecurity preparedness under the active guidance of a CERT-IN empaneled auditor. The audit will significantly help in:

  • Establishing strong governance collaboration within industry advanced real-time capabilities
  • Identifying gaps w.r.t. Cyber Security/Resilience Framework and closing it effectively
  • Assessing your IT infrastructure will help to identify precisely what sensitive information you hold, providing the scope to organize storages and refine data management processes.
  • Update the measurement criteria for assessing effectiveness of controls including the risk assessment and risk management methodology followed by the bank
  • Improve customer trust and build cyber resilience

As a CERT-IN empaneled body, our solutions and implementation follow complete guidelines and are easy to combine with the infrastructure. We assist you with Cyber Security Incidents and Events, measuring the Control Effectiveness and User Training and Awareness.

Get Free Consultation