The Reserve Bank of India (RBI) today released detailed guidelines on information technology (IT) governance, information security, and cyber fraud for the Indian banking industry. RBI guidelines are result of the Working Group’s recommendations on information security, electronic banking, technology risk management, and cyber frauds; the Working Group was formed under the chairmanship of G Gopalakrishna, the executive director of RBI in April 2010 (under Annual Monetary Policy Statement 2010-11).
The increasing adoption of IT by the commercial banks in India has resulted in a new set of security challenges. With the growing instances of cyber frauds, it was imperative to improve controls and examine the need for pro-active fraud risk assessments and management processes in commercial banks. This gave rise to the need to enhance RBI guidelines relating to IT governance and information security measures as well as independent assurance about the effectiveness of IT controls.
The RBI guidelines under this report cover various areas such as IT governance, information security (including electronic banking channels like internet banking, ATMs), IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning (BCP), customer education, and legal issues. These RBI guidelines would serve as a common minimum standard for all banks to adopt as well as lay down the best practices to implement in a phased manner
RBI guidelines on IT security
• Classify information assets and maintain an inventory.
• Notify major cyber security incidents to CERT-In/Institute for Development and Research in Banking Technology (IDRBT)/RBI.
• Every application affecting critical/ sensitive information must provide for detailed audit trails/logging capability, suggested RBI guidelines.
• For all critical applications, either source code must be received from the vendor or a software escrow agreement needs to be in place with a third party to ensure its availability in case the vendor goes out of business, mentions RBI guidelines.
• Cryptographic techniques should be used to control access to critical and sensitive data/information in transit and storage.
• Commercial banks should implement ISO 27001 based information security management system best practices for their critical functions.
• Banks should implement two-factor authentication for critical activities like fund transfers and changing customer related details through internet banking facility.
• A system of information sharing, akin to the functions performed by Financial Services Information Sharing Agency in the US, should be established. IDRBT as a sub-CERT to the banking system can function as a nodal point for information sharing.
RGI guidelineson cyber fraud
• The activities of fraud prevention, monitoring, investigation, reporting and awareness creation should be carried out by an independent fraud risk management group in the bank.
• Set up a transaction monitoring group within the fraud risk management group, alert generation and redressal mechanisms, dedicated e-mail id and phone number for reporting suspected frauds, mystery shopping and reviews.
• Banks should also start sharing the details of employees as well as the experience of controlling/preventing on a regular basis, state RBI guidelines.
• In each state, a Financial Crime Review Committee needs to be set up on frauds along the lines of the Security Committee set up by the RBI to review security issues in banks.
The RBI guidelines on BCP suggest implementing standards like BS 25999 and a regular performance test. On the legal front, the RBI guidelines recommend that as there is no specific legislation in India, which deals only with electronic funds transfer (EFT), it may be apposite to have some provisions similar to those in the EFT Act, which exempts the bank from any liability in case of fraud by the customer or a technical failure.
You can read the detailed recommendations of these RBI guidelines on other aspects like IT serving outsourcing, IT governance, customer education and the entire report here.