RBI Cyber Security Framework for Banks

  1. Home
  2. Risk Compliance

RBI Cyber Security Framework for Banks


Detailed guidelines have been issued by RBI (Reserve Bank of India), on Cyber Security Framework to enable banks to formalize, adopt and implement cyber security policy and risk management plan. These guidelines are set for Banks in India to nudge them towards developing and implementing next generation cyber defense capabilities. Being a cyber security company, having a similar goal and motive we perform a deep analysis of the RBI Cyber Security Framework for Banks along with a detailed reasoning and study of the requirements.

Why banks need RBI Cyber Security Audit?

Since the entire banking heavily relies on electronic platforms and online transactions, cyber security is imperative. Hence, RBI expects banks to assess their Cyber Security preparedness. RBI mandates that a Top to Down approach in information security governance must be followed which starts from the Bank's operating board, to IT and IS committee, and to level further down in the hierarchy. RBI also expects the Banks to report to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, with following details.

  • Gap analysis against the published Cyber Security/Resilience Framework
  • Information security controls
  • Effectiveness of the implemented controls
  • Plan of action to mitigate risks
  • Role of CISO

RBI Circulars

RBI releases periodic circulars to lay out what they expect from the banks. RBI realizes that banks must adopt a complete and yet customized approach towards cyber security, based on their situations. While there are many circulars released so far, following circulars are a key to an effective implementation.

How RBI Audit is performed for a bank?

  • Audit is conducted as an in-depth technical assessment
  • Includes information security process audit
  • Includes applicability of cyber security controls
  • By checking evidences and logs on servers
  • Includes checking all norms of technical requirements as per RBI

RBI Audit Report

  • A detailed gap analysis report
  • Report will provide who needs to do what activities to be compliant with RBI
  • Wherever possible, report will include details on what exactly needs to be done and by which team or person

RBI Cyber Security Framework Domains

RBI has provided clear guidelines for controls implementation, for the baseline cyber security and resilience framework. Following are the Baseline controls:

  • Inventory Management of Business
  • IT Assets Preventing execution of unauthorized software
  • Application Security Life Cycle (ASLC)
  • Patch/Vulnerability & Change Management
  • Vendor Risk Management
  • Removable Media
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Audit Log settings
  • Metrics
  • Forensics
  • Environmental Controls
  • Network Management and Security
  • User Access Control / Management
  • Authentication Framework for Customers
  • Advanced Real-time Threat Defense and Management
  • Anti-Phishing
  • Vulnerability assessment and Penetration Test
  • Red Team Exercises
  • Incident Response & Management
  • User / Employee/ Management Awareness
  • Customer Education and Awareness
  • Secure Configuration
  • Secure mail and messaging systems
  • Data Leak prevention strategy
  • Risk based transaction monitoring
Besides these controls, the UCB (Urban Cooperative Banks) are mandated to implement controls based on their level as decided by RBI. Those controls are as below.

Level 1 UCB Banks Cyber Security

  • Baseline Cyber Security and Resilience Requirement
  • Vendor/Outsourcing Risk Management

Level 2 UCB Banks Cyber Security

  • Network Management and Security
  • Secure Configuration
  • Application Security Life Cycle (ASLC)
  • Change Management
  • Periodic Testing
  • User Access Control / Management
  • Authentication Framework for Customers
  • Anti-Phishing
  • Data Leak Prevention Strategy
  • Audit Logs
  • Incident Response and Management

Level 3 UCB Banks Cyber Security

  • Network Management and Security
  • Secure Configuration
  • Application Security Life Cycle (ASLC)
  • User Access Control
  • Advanced Real-time Threat Defense and Management
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Incident Response and Management
  • User / Employee/ Management Awareness
  • Risk based transaction monitoring

Level 4 UCB Banks Cyber Security

  • Arrangement for continuous surveillance – Setting up of Cyber Security Operation Centre (C-SOC)
  • Participation in Cyber Drills
  • Incident Response and Management
  • Forensics and Metrics
  • IT Strategy and Policy
  • IT and IS Governance Framework
  • Chief Information Security Officer (CISO)
  • Information Security Committee
  • Audit Committee of Board (ACB)

IT auditing industries Pune,India, Industries

How Valency Networks Can Help With RBI Audits?

Valency Networks is a team of certified auditors. We have performed numerous cyber audits for banking and non-banking financial institutions. Contact us for more details.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

IT auditing industries Pune,India

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO
Fortune 50 Manufaturing Company, Pune
IT auditing industries Pune,India

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate
for 6+ yrs
IT auditing industries Pune,India

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,
for 3+ yrs