RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH
RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH CONTEXT RBI has provided guidelines on Cyber Security Framework circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016, highlighted the urgent need for a robust cyber security in place in BFSI sector and this should be monitored on a continuous basis. The requirement to share information on cyber security incidents with RBI will also help structure proactive threat identification and mitigation. CYBER SECURITY POLICY DISTINCT FROM IT SECURITY POLICY To address the need for the entire bank to contribute to a cyber-safe environment, the Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks. The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. While identifying, and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organizational culture and internal & external threats STRUCTURE OF RBI CYBER SECURITY 1. Baseline Cyber Security and Resilience Requirements 2. cyber security operation center (C-SOC) 3. cyber security incident reporting RBI has listed 24 requirements which should be put in place by banks to achieve baseline cyber security and resilience requirements. They are mentioned below: 9/1/2017 RBI Guidelines on Cyber Security and Raksha Approach 1
BASELINE CYBER SERCURITY AND RESILIENCE REQUIREMENTS Inventory of Business IT Assets Preventing execution of unauthorized software Environmental Controls Network and Security Secure Configuration Application Security Life Cycle (ASLC) Patch/Vulnerability & Change User Access Control / Authentication Framework for Customers Secure mail and messaging system Vendor Risk Removable Media Advanced Real-time Threat Defense and Anti-Phishing Data Leak prevention strategy Maintenance, Monitoring, and Analysis of Audit Logs Audit Log settings Vulnerability assessment and Penetration Test and Red Team Exercises Customer Education and Awareness Incident Response & Risk based transaction monitoring Metrics Forensics User / Employee/ Awareness CYBER SECURITY OPERATION CENTER (C-SOC) As per the framework, Banks should set up and operationalize C-SOC, because threats are changing rapidly, and reactive methodology which can deal with known threats, will not work here. So, banks should adopt for proactive methodology to deal with the unknown threats. CYBER SECURITY INCIDENT REPORTING Banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs Forum coordinated by IDRBT and promptly report the incidents to Indian Banks Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures. 9/1/2017 RBI Guidelines on Cyber Security and Raksha Approach 2
HOW CAN RAKSHA HELP? Learning from 17 years of cyber security experience Though banks acknowledge the magnitude of the problem that cyber risks pose, this imperative is not always adequately recognized or accounted for across the enterprise. A deeper analysis of the successes and failures of cyber security programs shows that Banks need to develop a more comprehensive approach to cyber risk management as also suggested by RBI in their guidelines for Cyber Security Framework: We help organizations understand the current threat landscape, and develop strategies to manage cyber risks in line with business risk priorities. Our framework is built on our 17+ years of experience in industry-leading practices, insights from cyber incidents, and awareness of regulatory standards. We help organizations using 3 rule strategy of 9/1/2017 RBI Guidelines on Cyber Security and Raksha Approach 3
Protect Monitor Recover 9/1/2017 RBI Guidelines on Cyber Security and Raksha Approach 4