The Reserve Bank of India (RBI) has come out with a new comprehensive master direction related to information technology (IT) governance, risk, controls and assurance practices for banks and NBFCs.
The key focus areas of IT governance shall include strategic alignment, risk management, resource management, performance management and business continuity/ disaster recovery management.
Read More: Escorts Kubota To Invest ₹400 Cr In Greenfield Manufacturing Unit In Ghiloth, Rajasthan
These directions shall be called the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 and shall come into effect from April 1, 2024.
“REs (regulated entities) shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including DR sites),” the latest directions read.
It further stated that REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency.
“The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc,” the RBI stated.
Read More: Gold and silver prices on November 8: Check latest rates in your city
Every IT application which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails, it said.
Meanwhile, the key length, algorithms, cipher suites and applicable protocols used in transmission channels, processing of data and authentication purpose shall be strong, it said on cryptographic controls. REs shall adopt internationally accepted and published standards that are not deprecated/demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls shall be compliant with extant laws and regulatory instructions.
Also, in order to prevent unauthorised modification of data, REs should ensure that there is no manual intervention or manual modification in data while it is being transferred from one process to another or from one application to another, in respect of critical applications.
Read More: Diwali Delight: Govt Banks Gift Employees Up To Rs 2,500 For Festive Sweets!
The latest directions also state that the risk management policy of the RE shall include IT related risks, including the Cyber Security related risks, and the Risk Management Committee of the Board (RMCB) in consultation with the ITSC shall periodically review and update the same at least on a yearly basis.
“REs shall analyse cyber incidents (including through forensic analysis, if necessary) for their severity, impact and root cause. REs shall take measures, corrective and preventive, to mitigate the adverse impact of incidents on business operations,” the central bank added.