With the ever-increasing cyberthreat landscape and the rising data breaches, the financial and information systems need to be under tighter security controls. The traditional compliance requirements are failing to meet the growing sophistication of the cyberattacks today, and hence businesses and governments organizations need to ensure that they are on the forefront of defending these advanced adversaries. In 2011, the central banking institution released extensive IT security guidelines, but it felt compelled to update its guidance partly as the original advisory didn’t sufficiently address the need for post-breach capabilities. The RBI’s Cybersecurity Framework in Banks is one such step towards safeguarding the crucial business assets, ensuring security compliance and data integrity.
The RBI’s Cybersecurity Framework defines requirements for today’s modern financial organization to protect themselves from the evolving attack techniques developed by cyber attackers every day. The framework addresses three core areas namely:-
The Baseline Cyber Security and Resilience Requirements consists of:-
After having an efficient surveillance system, the framework outlines the need to:
Operate Cyber Security Operations Centre:
The Cyber SoC must take into account proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics. The guidelines specifically call out the use of honeypot services. This is one of the very few specifications of a particular technology by the framework, which speaks to the clear value of honeypot solutions in detecting and responding to advanced threats.
Cyber Security Incident Reporting (CSIR):
Banks are stated to promptly notify RBI of any or all “unusual” cyber-security incidents whether successful or not. The notification can take no more than 6 hours, which means that detection and analysis must take place extremely quickly.
The Incident Report plan includes a Cyber Crisis Management Plan (CCMP), addressing Incident Detection, Response, Recovery and Containment.
As a CERT-IN Empaneled Security Auditor, QRC has been working alongside RBI & NPCI Guidelines, assessing your organization with a wholesome approach and helping banks address multiple security challenges arising out of RBI’s regulatory requirements. We assess the entire security controls that deal with the customer data:
Our approach for assessment is as follows:
Information Gathering & Documentation Review
We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow.
Post scope definition and initial engagement, we will conduct an initial audit as per the Cyber Security Framework put forth by RBI, to better understand the infra of the organization, and help our clients in identifying all the critical system platforms, network and physical components, storage locations of the sensitive information under scope, as per audit requirement.
As per the assessment, and the identification of the data assets, QRC will provide remediation support for the infrastructure supporting relevant business processes and complying with the RBI mandate.
Report & Confirmation Letter
Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.
Aligning your organization controls as per the RBI Cybersecurity Framework significantly reduces the impact of the business in wake of a cybersecurity incident. Banks need to assess their cybersecurity preparedness under the active guidance and oversight of the IT Sub Committee of the Board or the Bank’s Board directly. The audit will significantly help in: