Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices - ആർബിഐ - Reserve Bank of India
Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices
RBI/2023-24/107 November 7, 2023 The Chairman/Managing Director/Chief Executive Officer Madam/Dear Sir, Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices Please refer to paragraph IV (8) of the Statement on Developmental and Regulatory Policies released with the Bi-monthly Monetary Policy Statement 2021-22 on February 10, 2022, wherein it was announced that draft guidelines, updating and consolidating the instructions relating to Information Technology (IT) Governance and Controls, Business Continuity Management and Information Systems Audit, will be issued by the Reserve Bank of India. 2. Accordingly, a draft Master Direction on the subject was published in October 2022 seeking public comments. Based on feedback received, the final Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 are enclosed herewith. Yours faithfully, (T.K.Rajan) Encl: Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 Contents RBI/2023-24/xx November 7, 2023 Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 In exercise of the powers conferred by Section 35A of the Banking Regulation Act, 1949; Section 45L of the Reserve Bank of India Act, 1934 and Section 11 of the Credit Information Companies (Regulation) Act, 2005, and all other provisions/ laws enabling the Reserve Bank of India in this regard, the Reserve Bank being satisfied that it is necessary and expedient in the public interest to do so, hereby issues the Directions hereinafter specified. 1. Short Title and Commencement (a) These Directions shall be called the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023. (b) These Directions incorporate, consolidate and update the guidelines, instructions and circulars on IT Governance, Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management. The list of circulars repealed is given in Chapter VII of this Master Direction. (c) These Directions shall come into effect from April 1, 2024. (a) These Directions shall be applicable to the following entities (collectively referred to as ‘regulated entities’ or ’REs’ in these directions):
(b) These Directions shall not be applicable to:
(c) In the case of foreign banks operating in India through branch mode, reference to the board or board of directors in these Directions should be read as reference to the controlling office/ head office which has the oversight over the branch operations in India. Further, such foreign banks shall be subject to a ‘comply or explain’ approach in terms of the applicability of these Directions. The ‘comply or explain’ approach shall allow such foreign banks to deviate from any specific part of these Directions subject to examination and acceptance by Reserve Bank of a reasonably justifiable explanation for the same, as part of the supervisory process. 3. Definitions2 (a) In these Directions, unless the context states otherwise, the terms herein shall bear the meanings assigned to them below:
(b) All expressions unless defined herein shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949 or the Reserve Bank of India Act, 1934 or Credit Information Companies (Regulation) Act, 2005 or Information Technology Act, 2000 or Companies Act, 2013 and Rules made thereunder or any statutory modification or re-enactment thereto or as used in RBI Directions / Circulars, as the case may be. (a) The key focus areas of IT Governance shall include strategic alignment, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management. (b) REs shall put in place a robust IT Governance Framework based on the aforementioned focus areas that inter alia:
(c) Enterprise-wide risk management policy or operational risk management policy shall also incorporate periodic assessment of IT-related risks (both inherent and potential risk). 5. Role of the Board of Directors (a) The strategies and policies related to IT, Information Assets, Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) shall be approved by the Board of Directors. (b) Such strategies and policies shall be reviewed at least annually by the Board. 6. IT Strategy Committee of the Board (a) REs shall establish a Board-level IT Strategy Committee (ITSC)8. (b) While constituting the ITSC, REs shall ensure:
(c) The ITSC shall meet at least on a quarterly basis. (d) The ITSC shall:
7. Senior Management and IT Steering Committee (a) The Senior Management of the RE shall, inter alia, ensure:
(b) REs shall establish an IT Steering Committee with representation at Senior Management level from IT and business functions. (c) The responsibilities of IT Steering Committee, inter alia, shall be to:
(d) The IT Steering Committee shall meet at least on a quarterly basis. (a) REs shall appoint a sufficiently senior level, technically competent and experienced official in IT related aspects as Head of IT Function12. (b) The Head of IT Function shall, inter alia, be responsible for the following:
(c) As a first line of defence, the Head of IT Function shall ensure effective assessment, evaluation and management of IT controls and IT risk, including the implementation of robust internal controls, to (i) secure the RE’s information assets (ii) comply with extant internal policies, regulatory and legal requirements on IT related aspects. Chapter III - IT Infrastructure & Services Management (a) REs shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including DR sites). (b) A Service Level Management (SLM) process shall be put in place to manage the IT operations while ensuring effective segregation of duties. (c) REs shall ensure identification and mapping of the security classification (in terms of Confidentiality, Integrity, and Availability) of information assets based on their criticality to the REs’ operations. (d) For seamless continuity of business operations, REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end-of-support (EOS) date and Annual Maintenance Contract (AMC) dates of IT hardware on an ongoing basis. (e) REs shall develop a technology refresh plan for the replacement of hardware and software in a timely manner before they reach EOS. Where third-party arrangements in the Information Technology/ Cyber Security ecosystem are not within the applicability of the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, REs shall, put in place appropriate vendor risk assessment process and controls proportionate to the assessed risk and materiality to, inter alia:
(a) REs shall ensure that information systems and infrastructure are able to support business functions and ensure availability of all service delivery channels. (b) On an annual or more frequent basis, REs shall proactively assess capacity requirement of IT resources. REs shall ensure that IT capacity planning across components, services, system resources, supporting infrastructure is consistent with past trends (peak usage), the current business requirements and projected future needs as per the IT strategy of the RE. (c) The assessment of IT capacity requirements and measures taken to address the issues shall be reviewed by the ITSC. (a) REs shall follow a consistent and formally defined project management approach for IT projects undertaken by them. The project management approach shall, inter alia, enable appropriate stakeholder participation for effective monitoring and management of project risks and progress. (b) While adopting new or emerging technologies, tools, or revamping their existing ones in the technology stack, REs shall follow a standard enterprise architecture planning methodology or framework. (c) Adoption of new or emerging technologies shall be commensurate with the risk appetite and align with overall Business/ IT strategy of the RE. It should facilitate optimal creation, use, or sharing of information by a business in a secure and resilient way. (d) REs shall maintain enterprise data dictionary to enable the sharing of data among applications and information systems and promote a common understanding of data. (e) REs shall ensure that maintenance and necessary support of software applications is provided by the software vendors and the same is enforced through formal agreement. (f) REs shall obtain the source codes for all critical applications from their vendors. Where obtaining of the source code is not possible, REs shall put in place a source code escrow arrangement or other arrangements to adequately mitigate the risk of default by the vendor. REs shall ensure that all product updates and programme fixes are included in the source code escrow arrangement. (g) REs shall obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur. (h) Any new IT application proposed to be introduced as a business product13 shall be subjected to product approval and quality assurance process. 13. Change and Patch Management REs shall put in place documented policy(ies) and procedures for change and patch management to ensure the following: (a)the business impact of implementing patches/ changes (or not implementing a particular patch/ change request) are assessed; (b)the patches/ changes are applied/ implemented and reviewed in a secure and timely manner with necessary approvals; (c) any changes to an application system or data are justified by genuine business needs and approvals supported by documentation and subjected to a robust change management process; and (d)mechanism is established to recover from failed changes/ patch deployment or unexpected results. REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc. (a)Every IT application which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails. (b)The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes. (c)REs shall put in place a system for regularly monitoring the audit trails and system logs to detect any unauthorised activity. The key length, algorithms, cipher suites and applicable protocols used in transmission channels, processing of data and authentication purpose shall be strong. REs shall adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls shall be compliant with extant laws and regulatory instructions. 17. Straight Through Processing (a)In order to prevent unauthorised modification of data, REs shall ensure that there is no manual intervention or manual modification in data while it is being transferred from one process to another or from one application to another, in respect of critical applications. (b)Data transfer mechanism between processes or applications must be properly tested, securely automated with necessary checks and balances, and properly integrated through “Straight Through Processing” methodology with appropriate authentication mechanism and audit trails. 18.Physical and Environmental Controls (a)REs shall implement suitable physical and environmental controls in Data Centre and Disaster Recovery14 sites used by them. (b)The DC and DR sites should be geographically well separated so that both the sites are not affected by a similar threat associated to their location. (c)REs shall ensure that their DC and DR sites are subjected to necessary e-surveillance mechanism. (a)Access to information assets shall be allowed only where a valid business need exists. REs shall have documented standards and procedures, which are approved by the ITSC and kept up to date for administering need-based access to an information system. (b)Personnel with elevated system access entitlements shall be closely supervised with all their systems activities logged and periodically reviewed. (c)REs shall adopt multi-factor authentication for privileged users of i) critical information systems and ii) for critical activities, basis the RE’s risk assessment. In the teleworking environment, REs, inter alia, shall: (a)Ensure that the systems used and the remote access from alternate work location to the environment hosting RE’s information assets are secure; (b)Implement multi-factor authentication for enterprise access (logical) to critical systems; (c)Put in place a mechanism to identify all remote-access devices attached/ connected to the RE’s systems; and (d)Ensure that data/ information shared/ presented in teleworking is secured appropriately. (a)REs shall define suitable metrics for system performance, recovery and business resumption, including Recovery Point Objective (RPO) and Recovery Time Objective (RTO), for all critical information systems. (b)For non-critical information systems, REs shall adopt a risk-based approach to define suitable metrics. (c)REs shall implement suitable scorecard/ metrics/ methodology to measure IT performance and IT maturity level. Chapter IV - IT and Information Security Risk Management 22.Periodic review of IT related risks The risk management policy of the RE shall include IT related risks, including the Cyber Security related risks, and the Risk Management Committee of the Board (RMCB) in consultation with the ITSC shall periodically review and update the same at least on a yearly basis. 23. IT and Information Security Risk Management Framework REs shall establish a robust IT and Information Security Risk Management Framework15 covering, inter alia, the following aspects: (a)Implementation of comprehensive Information Security management function, internal controls and processes (including applicable insurance covers) to mitigate/ manage identified risks. The implemented controls and processes must be reviewed periodically on their efficacy in a risk environment characterised by change; (b)Definition of roles and responsibilities of stakeholders (including third-party personnel) involved in IT risk management. Areas of possible role conflicts and accountability gaps must be specifically identified and eliminated or managed; (c)Identification of critical information systems of the organisation and fortification of the security environment of such systems; and (d)Definition and implementation of necessary systems, procedures and controls to ensure secure storage/ transmission/ processing of data/ information. 24. Information Security Policy and Cyber Security Policy (a)The Information Security Policy shall take into consideration, inter alia, aspects such as the objectives, scope, ownership and responsibility for the Policy; information security organisational structure; exceptions; compliance review and penal measures for non-compliance of Policies. REs shall also put in place a Cyber Security Policy and Cyber Crisis Management Plan (CCMP). (b)An Information Security Committee (ISC), under the oversight of the ITSC, shall be formed for managing cyber/ information security. The constitution of the ISC, with Chief Information Security Officer (CISO) and other representatives from business and IT functions, etc., shall be decided by the ITSC. The head of the ISC shall be from risk management vertical. Major responsibilities of the ISC, inter alia, shall include:
(c)A senior level executive (preferably in the rank of a General Manager or an equivalent position) shall be designated as the Chief Information Security Officer (CISO). The CISO shall not have any direct reporting relationship with the Head of IT Function and shall not be given any business targets. REs shall ensure the following:
(d)REs shall ensure that the roles and responsibilities of the CISO are clearly defined and documented covering, at a minimum, the following points:
(a)The risk assessment for each information asset within the RE’s scope shall be guided by appropriate security standards/ IT control frameworks. (b)REs shall ensure that all staff members and service providers comply with the extant information security and acceptable-use policies as applicable to them. (c)REs shall review their security infrastructure and security policies at least annually, factoring in their own experiences and emerging threats and risks. REs shall take steps to adequately tackle cyber-attacks including phishing, spoofing attacks and mitigate their adverse effects. 26. Conduct of Vulnerability Assessment (VA) / Penetration Testing (PT) (a)For critical information systems and/ or those in the De-Militarized Zone (DMZ) having customer interface, VA shall be conducted at least once in every six months and PT at least once in 12 months. Also, REs shall conduct VA/ PT of such information systems throughout their lifecycle (pre-implementation, post implementation, after major changes, etc.). (b)For non-critical information systems, a risk-based approach shall be adopted to decide the requirement and periodicity of conduct of VA/ PT. (c)VA/ PT shall be conducted by appropriately trained and independent information security experts/ auditors. (d)In the post implementation (of IT project/ system upgrade, etc.) scenario, the VA/ PT shall be performed on the production environment. Under unavoidable circumstances, if the PT is conducted in test environment, REs shall ensure that the version and configuration of the test environment resembles the production environment. Any deviation should be documented and approved by the ISC. (e)REs shall ensure to fix the identified vulnerabilities and associated risks in a time-bound manner by undertaking requisite corrective measures and ensure that the compliance is sustained to avoid recurrence of known vulnerabilities such as those available in Common Vulnerabilities and Exposures (CVE) database. (f)REs shall put in place a documented approach for conduct of VA/ PT covering the scope, coverage, vulnerability scoring mechanism (e.g., Common Vulnerability Scoring System) and all other aspects. This may also apply to the RE’s information systems hosted in a cloud environment. 27. Cyber Incident Response and Recovery Management16 (a)The cyber incident response and recovery management policy shall address the classification and assessment of incidents; include a clear communication strategy and plan to manage such incidents, contain exposures and achieve timely recovery. (b)REs shall analyse cyber incidents (including through forensic analysis, if necessary) for their severity, impact and root cause. REs shall take measures, corrective and preventive, to mitigate the adverse impact of incidents on business operations. (c)REs shall have written incident response and recovery procedures including identification of key roles of staff/ outsourced staff handling such incidents. (d)REs shall have clear communication plans for escalation and reporting the incidents to the Board and Senior Management as well as to customers, as required. REs shall pro-actively notify CERT-In and RBI17 regarding incidents, as per regulatory requirements. REs are also encouraged to report the incidents to Indian Banks – Centre for Analysis of Risks and Threats (IB-CART) set up by IDRBT. (e)REs shall establish processes to improve incident response and recovery activities and capabilities through lessons learnt from past incidents as well as from the conduct of tests and drills. REs, inter alia, shall ensure effectiveness of crisis communication plan/ process by conduct of periodic drills/ testing with stakeholders (including service providers). Chapter V - Business Continuity and Disaster Recovery Management 28. Business Continuity Plan (BCP) and Disaster Recovery (DR) Policy (a) The BCP and DR policy shall adopt best practices18 to guide its actions in reducing the likelihood or impact of the disruptive incidents and maintaining business continuity. The policy shall be updated based on major developments/ risk assessment. (b) RE’s BCP/ DR capabilities shall be designed to effectively support its resilience objectives and enable it to rapidly recover and securely resume its critical operations (including security controls) post cyber-attacks/ other incidents. 29. Disaster Recovery Management (a)Periodicity of DR drills for critical information systems shall be at least on a half-yearly basis and for other information systems, as per RE’s risk assessment. (b)Any major issues observed during the DR drill shall be resolved and tested again to ensure successful conduct of drill before the next cycle. (c)The DR testing shall involve switching over to the DR / alternate site and thus using it as the primary site for sufficiently long period where usual business operations of at least a full working day (including Beginning of Day to End of Day operations) are covered. (d)REs shall regularly test the BCP / DR under different scenarios for possible types of contingencies, to ensure that it is up-to-date and effective. (e)REs shall backup data and periodically restore such backed-up data to check its usability. The integrity of such backup data shall be preserved along with securing it from unauthorised access. (f)REs shall ensure that DR architecture and procedures are robust, meeting the defined RTO and RPO for any recovery operations in case of contingency. (g)REs should prioritise achieving minimal RTO (as approved by the RE’s ITSC) and a near zero RPO for critical information systems. (h)In a scenario of non-zero RPO, REs shall have a documented methodology for reconciliation of data while resuming operations from the alternate location. (i)REs shall ensure that the configurations of information systems and deployed security patches at the DC and DR19 are identical. (j)REs shall ensure BCP and DR capabilities in critical interconnected systems and networks including those of vendors and partners. REs shall ensure demonstrated readiness through collaborative and co-ordinated resilience testing that meets the REs’ RTO. Chapter VI - Information Systems (IS) Audit 30. Information Systems (IS) Audit (a)The Audit Committee of the Board (ACB) shall be responsible for exercising oversight of IS Audit of the RE. (b)REs shall put in place an IS Audit Policy. The IS Audit Policy shall contain a clear description of its mandate, purpose, authority, audit universe, periodicity of audit etc. The policy shall be approved by the ACB and reviewed at least annually. (c)The ACB shall review critical issues highlighted related to IT / information security / cyber security and provide appropriate direction and guidance to the RE’s Management. (d)REs shall have a separate IS Audit function or resources who possess required professional skills and competence within the Internal Audit function. Where the RE uses external resources for conducting IS audit in areas where skills are lacking within the RE, the responsibility and accountability for such external IS audits would continue to remain with the competent authority within Internal Audit function. (e)REs shall carry out IS Audit planning by adopting a risk-based audit approach. (f)REs may consider, wherever possible, a continuous auditing approach for critical systems, performing control and risk assessments on a more frequent basis. Chapter VII – Repeal and Other Provisions With the issue of these Directions, the instructions/ guidelines contained in the circulars issued by the Reserve Bank of India listed in Annex shall stand repealed from the dates mentioned in the said Annex. All the instructions/ guidelines given in the circulars referred above shall be deemed as given under these Directions. Any reference in other circulars/ guidelines/ notifications issued by the Reserve Bank containing reference to the said repealed circulars, shall mean the reference to these Directions, namely, the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023, after the date of repeal. Notwithstanding such repeal, any action taken, purported to have been taken or initiated under the circulars hereby repealed shall continue to be governed by the provisions of the said circulars/ guidelines/ notifications. 31. Application of other laws not barred The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations or directions, for the time being in force. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, the Reserve Bank of India may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by the Reserve Bank of India shall be final and binding. The following circulars are consolidated20, while issuing these Directions: (i) DBS.CO.OSMOS.BC.8/33.01.022/2002-2003 dated December 19, 2002 on Standardised Checklists for Conducting Computer Audit - Report of the Committee on Computer Audit (ii) DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011 on Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations. With the coming into effect of these Directions, the instructions/ guidelines contained in the following circulars issued by the Reserve Bank stand repealed. These circulars will continue to remain in force till March 31, 2024.
1 Includes banks incorporated outside India licensed to operate in India (‘Foreign Banks’), Small Finance Banks (SFBs), Payments Banks (PBs) 2 Source – FSB Cyber Lexicon (updated in April 2023) unless explicitly mentioned otherwise. 3 Cyber incident definition is adapted from FSB Cyber Lexicon (updated in April 2023). By the definition, it includes cyber security as well as IT incident. 4 Source - NIST SP 800-82 Rev. 2 5 Information Asset definition is adapted from “Guidance on cyber resilience for financial market infrastructures” June 2016 publication of Bank for International Settlements and International Organization of Securities Commissions 7 Source - adapted from ISO/IEC 24775-2:2021 8 Foreign banks operating in India through branch mode need not constitute any Committees (Board or Executive level) referred in this Master Direction at the branch level. They may leverage upon controlling office/ head office/ regional/ zonal Committees for compliance with this Master Direction as long as governance obligations / responsibilities outlined for the prescribed committees are met. 9 “Substantial IT expertise” means the person has a minimum of seven years of experience in managing information systems and/or leading/ guiding technology/ cybersecurity initiatives/ projects. Such a member should also understand the business processes at a broader level and the impact of IT on such processes. 10 Technically competent herein will mean the ability to understand and evaluate information systems and associated IT/ cyber risks. 11 The reference to Business Continuity/ Disaster Recovery Management in this Master Direction is limited to operational resilience focussing on People, Processes and Systems associated with the IT, IS, information/ cyber security controls and operations. 12 By whatever name called viz. Chief Technology Officer or Chief Information Officer, etc. 13 IT Applications that enable functioning of a business process whether offered as a product to the customers (including potential customers), third parties (or) internal employees could be broadly referred as business product. 14 DC refers to primary data centre for a given application/ system and DR its Disaster Recovery site/ alternate site. 15 REs may have flexibility to define Information / Cyber security risk management framework distinct from IT risk management framework. 16 The term ‘incident’ implies ‘cyber incident’ in this Master Direction 17 In respect of Housing Finance Companies, cyber incidents shall continue to be reported to NHB and not RBI. 18 For example, refer to ISO 22301 19 DC refers to primary data centre for a given application/ system and DR its Disaster Recovery site/ alternate site. 20 For compliance purpose, it is sufficient to adhere to this Master Direction by the REs in lieu of the circulars and the reports referred therein. |