Applicable to All Regional Rural Banks
National Bank for Agriculture and Rural Development (NABARD) is an apex development financial institution of the country, outlined to address the of an organizational device for resolving credit related issues linked with rural development. As per the Ref. NO. NB. DoS. Pol. HO./3184 / J- 1/2019-20, NABARD put forth a Comprehensive Cyber Security Framework for Regional Rural Banks (RRBs) - A Graded Approach for time bound implementation. Identification and assessment of the inherent risk helps the RRBs reduce the vulnerability of the technologies adopted, delivery channels, digital products being offered, internal and external threats etc.
As per the framework, RRBs have been categorized into four levels based on their digital depth and interconnectedness to the payment systems landscape. levels are defined as below:
Criteria - All RRBs
Regulatory Prescription - Level I controls prescribed in Annexure-I
In addition to the controls, the banks may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) toolAnnexure-I A
Criteria - All RRBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:
Regulatory Prescription - Level II controls given in Annexure-II, in addition to Level I controls.
Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.
Criteria - RRBs having at least one of the criteria given below:
Regulatory Prescription - Level III controls given in Annexure-III, in addition to Level I and II controls.
Additional controls include Advanced Real-time Threat Defense and Management, Risk based transaction monitoring.
Criteria - RRBs which are members/sub-members of CPS and satisfy at least one of the criteria given below:
Regulatory Prescription - Level IV controls given in Annexure-IV, in addition to Level I, II and III controls. Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.
The Board of Directors is ultimately responsible for the information security of the bank.
RRBs shall undertake a self-assessment of the level in which they fit into based on the criteria given in the table.
All RRBs shall comply with the control requirements prescribed in Annexure-I within three months from the date of issuance of this circular. Similarly, Level II, III and IV RRBs are required to implement additional controls prescribed in Annexures-II, III and IV respectively.
The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.
Baseline Cyber Security and Resilience Requirements - Level
The Vulnerability Index for Cyber Security Framework (VICS) covers four major areas, viz.
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I)
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I & II)
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I, II & III)
NABARD Cybersecurity Audit Approach And Process
Working alongside RBI & NABARD Guidelines, QRC assesses your organization with a wholesome approach, working to set up the cybersecurity infra controls. Our approach for assessment is as follows :
Cyber Security Framework Services
Aligning your organization controls as per the NABARD RRB Cybersecurity Framework significantly reduces the impact in wake of a cybersecurity incident. Banks need to assess their cybersecurity preparedness under the active guidance of a CERT-IN empaneled auditor. The audit will significantly help in:
As a CERT-IN empaneled body, our solutions and implementation follow complete guidelines and are easy to combine with the infrastructure. We assist you with Cyber Security Incidents and Events, measuring the Control Effectiveness and User Training and Awareness.