Overview
The Reserve Bank of India (RBI) has released comprehensive directions aimed at enhancing IT governance, risk management, control mechanisms, and assurance practices among regulated entities. Effective from April 1, 2024, these directions consolidate existing guidelines and introduce new measures to ensure robust IT frameworks across financial institutions.
Applicability
The directions apply to:
-
Scheduled Commercial Banks (excluding Regional Rural Banks)
-
Small Finance Banks
-
Payments Banks
-
Non-Banking Financial Companies (NBFCs) in the Top, Upper, and Middle Layers
-
Credit Information Companies
-
All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI)
Foreign banks operating in India through branch mode will follow a “comply or explain” approach.
Adherence to the Circular
To comply with the circular, regulated entities must:
-
Establish an IT Governance Framework that aligns with their business objectives.
-
Set up a Board-level IT Strategy Committee and IT Steering Committee at the senior management level.
-
Appoint a Head of IT Function responsible for executing IT projects and ensuring robust IT infrastructure.
-
Implement policies and procedures for IT service management, third-party arrangements, capacity management, and project management.
-
Conduct regular risk assessments, vulnerability assessments, and penetration testing.
-
Develop a Business Continuity Plan (BCP) and Disaster Recovery (DR) management system.
-
Perform Information Systems (IS) audits as per the guidelines.
Chapter Highlights
Chapter I – Preliminary
-
Defines the scope, applicability, and key terms related to the directions.
Chapter II – IT Governance
-
Outlines the IT Governance Framework focusing on strategic alignment, risk management, and resource management.
-
Specifies the roles of the Board of Directors, IT Strategy Committee, and Senior Management.
-
Mandates the appointment of a Head of IT Function.
Chapter III – IT Infrastructure & Services Management
-
Details the requirements for IT service management, third-party arrangements, capacity management, and project management.
-
Emphasizes data migration controls, audit trails, cryptographic controls, and physical and environmental controls.
Chapter IV – IT and Information Security Risk Management
-
Requires periodic review of IT-related risks and establishment of an IT and Information Security Risk Management Framework.
-
Calls for the creation of Information Security and Cyber Security policies, including a Cyber Crisis Management Plan (CCMP).
-
Stipulates the need for regular vulnerability assessments and penetration testing.
Chapter V – Business Continuity and Disaster Recovery Management
-
Requires the development of a BCP and DR policy that includes periodic testing and data backup procedures.
-
Specifies the need for regular DR drills and ensuring the integrity of backup data.
Chapter VI – Information Systems (IS) Audit
-
Mandates the establishment of an IS Audit policy and the conduct of risk-based IS audits.
-
Requires continuous auditing for critical systems and regular review of audit findings by the Audit Committee of the Board.
Chapter VII – Repeal and Other Provisions
-
Lists the circulars repealed by these directions and clarifies the application of other laws.
-
Provides guidelines for the interpretation of these directions by the RBI.
Conclusion
The RBI’s Master Direction on IT Governance, Risk, Controls, and Assurance Practices sets a robust framework for financial institutions to enhance their IT governance and security postures. By adhering to these guidelines, entities can ensure resilient and secure IT operations, effectively manage risks, and maintain regulatory compliance.
References
https://www.rbi.org.in/scripts/notificationuser.aspx/images/NotificationUser.aspx?Id=12562
Related
Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.
Recent Comments