On Tuesday, November 7, the Reserve Bank of India (RBI) released a set of detailed guidelines for Banks and Non-Banking Financial Institutions (NBFCs) regarding IT governance and controls. The primary areas of emphasis within IT governance encompass strategic alignment, risk management, resource allocation, performance evaluation, and business continuity/disaster recovery planning.
In light of this, the RBI has officially released the final Reserve Bank of India (Information Technology Governance, Risk, Controls, and Assurance Practices) Directions for 2023.
The directions released by RBI will come into force from 1 April 2024. Furthermore, “REs (regulated entities) shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment,” states the latest direction released by the Central Bank.
The document also specifies that Regulated Entities (REs) should establish a documented data migration policy outlining a systematic process for data migration to ensure data integrity, completeness, and consistency.
Reserve Bank of India (RBI) said, “The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc.”
Furthermore, it emphasised that each IT application with the potential to access or impact critical or sensitive data must possess essential audit and system logging capabilities, ensuring the provision of comprehensive audit trails.
Regarding cryptographic controls, it said that the strength of significant length, algorithms, cipher suites, and protocols utilised in transmission channels, data processing, and authentication must be robust.
Additionally, to thwart unauthorised data alterations, REs must guarantee that there is no manual intervention or modification during data transfer between processes or applications, particularly for critical applications.
As per the directives, the risk management policy of the RE must encompass IT-related risks, including those on cybersecurity. Additionally, the Risk Management Committee of the Board (RMCB) should conduct regular reviews and updates of this policy, at minimum annually.
The central bank additionally emphasised that REs should conduct thorough analyses of cyber incidents to assess their severity, impact, and underlying causes. They should implement both corrective and preventive measures to minimise the adverse effects of such incidents on business operations.
The Reserve Bank of India (RBI) is the apex body that regulates all the banks and NBFCs across the nation. The new guidelines published by RBI apply to the entire banking industry; however, any non-compliance can harm the institution’s reputation and image among clients and stakeholders. Banks and NBFCs can apply for ISO/IEC 27001:2022 Certification for Information Security Management Systems (ISMS) to implement appropriate tools and controls to monitor information security.
Furthermore, ISO/IEC 27701:2019 Certification for Privacy Information Security System (PIMS) helps banks and NBFCs give the right clients and customers control to control their private and confidential data. Hence, the new regulation released by RBI focuses on creating a robust IT governance structure to ensure data security and safety. Moreover, banking and non-banking institutions can apply for various other ISO standards, including General Data Protection Regulation (GDPR), Capability Maturity Model Integration (CMMI), Services Organisations Controls (SOC), and Vulnerability Assessment and Penetration Testing (VAPT).
Source Link: https://www.cnbctv18.com/economy/rbi-issues-comprehensive-it-governance-guidelines-for-banks-and-nbfcs-effective-april-2024-18269651.htm