The Reserve Bank of India (RBI) has released comprehensive directions to enhance IT governance, risk management, control mechanisms, and assurance practices among regulated entities. Effective April 1, 2024, RBI Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices consolidate existing guidelines and introduce new measures to ensure robust IT frameworks across financial institutions.
The directions apply to:
Scheduled Commercial Banks (excluding Regional Rural Banks)
Small Finance Banks
Payments Banks
Non-Banking Financial Companies (NBFCs) in the Top, Upper, and Middle Layers
Credit Information Companies
All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI)
Foreign banks operating in India through branch mode will follow a “comply or explain” approach.
To comply with the circular, regulated entities must:
Establish an IT Governance Framework that aligns with their business objectives.
Set up a Board-level IT Strategy Committee and IT Steering Committee at the senior management level.
Appoint a Head of IT Function responsible for executing IT projects and ensuring robust IT infrastructure.
Implement policies and procedures for IT service management, third-party arrangements, capacity management, and project management.
Conduct regular risk assessments, vulnerability assessments, and penetration testing.
Develop a Business Continuity Plan (BCP) and Disaster Recovery (DR) management system.
Perform Information Systems (IS) audits as per the guidelines.
Chapter I – Preliminary
Defines the scope, applicability, and key terms related to the directions.
Chapter II – IT Governance
Outlines the IT Governance Framework focusing on strategic alignment, risk management, and resource management.
Specifies the roles of the Board of Directors, IT Strategy Committee, and Senior Management.
Mandates the appointment of a Head of IT Function.
Chapter III – IT Infrastructure & Services Management
Details the requirements for IT service management, third-party arrangements, capacity management, and project management.
Emphasizes data migration controls, audit trails, cryptographic controls, and physical and environmental controls.
Chapter IV – IT and Information Security Risk Management
Requires periodic review of IT-related risks and establishment of an IT and Information Security Risk Management Framework.
Calls for the creation of Information Security and Cyber Security policies, including a Cyber Crisis Management Plan (CCMP).
Stipulates the need for regular vulnerability assessments and penetration testing.
Chapter V – Business Continuity and Disaster Recovery Management
Requires the development of a BCP and DR policy that includes periodic testing and data backup procedures.
Specifies the need for regular DR drills and ensuring the integrity of backup data.
Chapter VI – Information Systems (IS) Audit
Mandates the establishment of an IS Audit policy and the conduct of risk-based IS audits.
Requires continuous auditing for critical systems and regular review of audit findings by the Audit Committee of the Board.
Chapter VII – Repeal and Other Provisions
Lists the circulars repealed by these directions and clarifies the application of other laws.
Provides guidelines for the interpretation of these directions by the RBI.
The RBI’s Master Direction on IT Governance, Risk, Controls, and Assurance Practices sets a robust framework for financial institutions to enhance their IT governance and security postures. By adhering to these guidelines, entities can ensure resilient and secure IT operations, effectively manage risks, and maintain regulatory compliance.
https://www.rbi.org.in/scripts/notificationuser.aspx/images/NotificationUser.aspx?Id=12562
Recent Comments