Академический Документы
Профессиональный Документы
Культура Документы
TABLE OF CONTENTS
Contents
INTENDED AUDIENCE .............................................................................................................................................................. 3
EXECUTIVE SUMMARY............................................................................................................................................................. 3
INTRODUCTION ....................................................................................................................................................................... 4
CHAPTER 1: IT GOVERNANCE .................................................................................................................................................. 6
Introduction......................................................................................................................................................................... 6
Roles and Responsibilities and Organizational Framework ................................................................................................ 6
Focus Areas for IT Governance:........................................................................................................................................... 6
Policies and Procedures ...................................................................................................................................................... 6
CHAPTER 2 – INFORMATION SECURITY................................................................................................................................... 7
Introduction......................................................................................................................................................................... 7
Roles & Responsibilities and organization framework:....................................................................................................... 8
Critical components of information security ...................................................................................................................... 8
CHAPTER 3: IT OPERATIONS .................................................................................................................................................. 11
Introduction....................................................................................................................................................................... 11
Roles & Responsibilities and Organization Framework: ................................................................................................... 11
Components of IT operations framework ......................................................................................................................... 11
CHAPTER 4 – IT SERVICES OUTSOURCING ............................................................................................................................. 12
Introduction....................................................................................................................................................................... 12
Roles & Responsibilities and Organization Structure: ....................................................................................................... 12
Various components/aspects relating to outsourcing ...................................................................................................... 12
CHAPTER 5: IS AUDIT ............................................................................................................................................................. 14
Roles & Responsibilities and Organization Framework: ................................................................................................... 14
Critical Components and Processes .................................................................................................................................. 14
CHAPTER 6 – CYBER FRAUD................................................................................................................................................... 16
Introduction....................................................................................................................................................................... 16
1. Roles/Responsibilities and Organizational structure .................................................................................................... 16
INTENDED AUDIENCE
The RBI guideline is useful for all banks and financial institutions incorporating IT operations and support to meet their
business objectives. The guidelines are important to be complied and followed sincerely so as to maintain the trust level of
the customer by assuring the security of their information residing with these financial institutions.
The guidelines can also be used by advisory & auditing firms for consulting and audit purpose.
EXECUTIVE SUMMARY
In today’s Indian scenario, banking sectors are rapidly utilizing IT services for their operations. Automation of various
processes no doubt has given lots of advantages to these banking and financial institutions, but has given rise to many
risks as well.
Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate other risks like
credit risks and market risks. Given the increasing reliance of customers on electronic delivery channels to conduct
transactions, any security related issues have the potential to undermine public confidence in the use of e-banking
channels and lead to reputation risks to the banks. Inadequate technology implementation can also induce strategic risk in
terms of strategic decision making based on inaccurate data/information. Compliance risk is also an outcome in the event
of non-adherence to any regulatory or legal requirements arising out of the use of IT. These issues ultimately have the
potential to impact the safety and soundness of a bank and in extreme cases may lead to systemic crisis.
Keeping in view the changing threat milieu and the latest international standards, it was felt that there was a need to
enhance RBI guidelines relating to the governance of IT, information security measures to tackle cyber fraud apart from
enhancing independent assurance about the effectiveness of IT controls. To consider these and related issues, RBI
announced the creation of a Working Group on Information Security, Electronic Banking, Technology Risk Management
and Tackling Cyber Fraud in April, 2010. The Group was set up under the Chairmanship of the Executive Director
Shri.G.Gopalakrishna.
INTRODUCTION
Looking at the IT challenges and information security concerns today, RBI introduced guidelines to enhance the
governance of IT and institute robust information security measures in the Indian banking sector. Following were the
major reasons for introducing the guidelines for the bank:
Information technology (IT) risk assessment and management was required to be made a part of the risk
management framework of a bank
Internal audits/information system audits needed to independently provide assurance that IT-related processes and
controls were working as intended.
Given the instances of cyber fraud in banks recently, it was necessary to improve controls and examine the need
for pro-active fraud risk assessments and management processes in commercial banks.
With the increase in transactions in electronic mode, it was also critical to examine the legal implications for
banks arising out of cyber laws and steps that were required to be taken to suitably mitigate the legal risks.
Taking into account the above mentioned issues, creation of a Working Group on Information Security, Electronic
Banking, Technology Risk Management and Tackling Cyber Fraud took place.
This working group was formed with the following vision to:
undertake a comprehensive assessment of extant IT and e-banking related guidelines vis-à-vis international
guidelines/best practices and suggest suitable recommendations
suggest recommendations with respect to information security in order to comprehensively provide for a broad
framework to mitigate present internal and external threats to banks
Provide recommendations for effective and comprehensive Information Systems Audit related processes to
provide assurance on the level of IT risks in banks
Suggest scope for enhancement of measures against cyber fraud through preventive and detective mechanisms as
part of the fraud risk management framework in banks
Identify measures to improve business continuity and disaster recovery related processes in banks
Assess the impact of legal risks arising out of cyber laws, the need for any specific legislation relating to data
protection and privacy and whether there is an Indian equivalent of the Electronic Fund Transfer Act in the US
Consider scope to enhance customer education measures relating to cyber fraud
The working group decided to address IT issues across multiple dimensions arising out of the use of IT and provide
recommendations in these areas. These dimensions and provided recommendations were elaborated in the following 9
chapters of the guideline
Chapter 5 – IS Audit
The report further is divided into different chapters and each chapter contains introduction, associated roles and
responsibilities and the desired control recommendations from the RBI for banks to implement mandatorily. The
recommendations are not “one-size-fits-all” and the implementation of these recommendations need to be based on the
nature and scope of activities engaged by banks and the technology environment prevalent in the bank and the support
rendered by technology to the business processes.
CHAPTER 1: IT GOVERNANCE
Introduction
IT Governance is an integral part of the corporate governance involves leadership support, organizational structure and
processes to ensure that a bank’s IT sustains and extends business strategies and objectives. Effective IT Governance is
the responsibility of the Board of Directors and Executive Management.
(c) Detailed operational procedures may be formulated in relevant areas including for data center operations
(d) A bank needs to follow a structured approach for the long-range planning process considering factors such as
organizational model and changes to it, geographical distribution, technological evolution, costs, legal and regulatory
requirements, requirements of third-parties or market, planning horizon, business process re-engineering, staffing, in- or
outsourcing, etc.
(e) There needs to be an annual review of IT strategy and policies taking into account the changes to the organization’s
business plans and IT environment
(i) There is also a need to maintain an “enterprise data dictionary” that incorporates the organization’s data syntax rules.
(j) Banks need to establish a classification scheme that applies throughout the enterprise, based on the criticality and
sensitivity (e.g. public, confidential, or top secret) of enterprise data.
(k) There is a need for a CIO in bank. He has to be the key business player and a part of the executive decision-making
function. His key role would be to be the owner of IT functions: enabling business and technology alignment.
(l) Bank-wide risk management policy or operational risk management policy needs to be incorporate IT-related risks
also. The Risk Management Committee periodically reviews and updates the same (at least annually).
To achieve effective information security governance, bank management must establish and maintain a framework to
guide the development and maintenance of a comprehensive information security programme.
CHAPTER 3: IT OPERATIONS
Introduction
For banks in which information technology (IT) systems are used to manage information, IT Operations should support
processing and storage of information, such that the required information is available in a timely, reliable, secure and
resilient manner. Functions covered as a part of IT Operations should be IT Service Management, Infrastructure
Management, Application Lifecycle Management, and IT Operations Risk Framework
The benefits of outsourcing include efficiencies in operations, increased ability to acquire and support current technology
and tide over the risk of obsolescence, increased time availability for management to focus on key management functions,
shorter lead time in delivering services to customers, better quality of services, and stronger controls among others.
NOTE: RBI guidelines on outsourcing indicate activities which cannot be outsourced and need to be carried out by the
bank. These include Internal Audit, Compliance function, and decision making functions like KYC compliance, loans
sanctioning, and managing investment portfolio.
2 Risk Management in Risk evaluation should be performed prior to entering into an outsourcing agreement
outsourcing and reviewed periodically in light of known and expected changes, as part of the
arrangements strategic planning or review process.
(i) Risk Evaluation and Risk evaluation should be performed prior to entering into an outsourcing agreement
Measurement and reviewed periodically in the light of known and expected changes, as part of the
strategic planning or review processes.
(ii) Service Provider Management should identify functions to be outsourced along with necessary controls
Selection and solicit responses from prospective bidders via an RFP process. While negotiating/
renewing an outsourcing arrangement, appropriate diligence should be performed to
assess the capability of the technology service provider to comply with obligations in
the outsourcing agreement. Due diligence should involve an evaluation of all
information about the service provider including qualitative, quantitative, financial,
operational and reputational factors.
(iii) Contracting The terms and conditions governing the contract between the bank and the service
provider should be carefully defined in written agreements and vetted by the bank's
legal counsel on their legal effect and enforceability.
CHAPTER 5: IS AUDIT
The chapter includes audit charter/policy. Also it includes various stages like planning, execution, Reporting and Follow-
up and quality review of an IS audit.
Organization Structure:
SNo. Roles & Responsibilities Responsibility description
2 Working group To get desired support for the programme, it is important to identify and
involve key stakeholders in decision-making, planning, implementation and
evaluation.
Key Recommendations:
Banks need to follow a systematic process to develop an awareness programme through the stages of planning
and design, execution and management, and evaluation and course correction.
Awareness programs should be customized for the specific audience like bank customers, employees, law
enforcement personnel, fraud risk professionals, media partners, etc.
Building consensus among decision makers and stakeholders for financial and administrative support is an
important step in the programme. In this respect, both fixed and variable costs need to be identified.
Since the target groups obtain information from a variety of sources, more than one communication channel could
be used to engage them successfully.
A research group should be formed to continually update the communications team with the latest trends and
evolving modus operandi.
Evaluation of the effects of various campaigns for specific target groups can be measured through qualitative (e.g.
focus groups, interviews) and/ or quantitative (e.g. questionnaires, omnibus surveys) research.
Key Recommendations:
Legal risk and operational risk are same. Most risks are sought to be covered by documentation, particularly
where the law is silent. Legal risks need to be incorporated as part of operational risks and the position need to be
periodically communicated to the top management and Board/Risk Management Committee of the Board.
As the law on data protection and privacy, in the Indian context are in an evolving stage, banks have to keep in
view the specific provisions of IT Act, 2000 (as amended in 2008), various judicial and quasi-judicial
pronouncements and related developments in the Cyber laws in India as part of legal risk mitigation measures.
Banks are also required to keep abreast of latest developments in the IT Act, 2000 and the rules, regulations,
notifications and orders issued there under pertaining to bank transactions and emerging legal standards on digital
signature, electronic signature, data protection, cheque truncation, electronic fund transfer etc. as part of overall
operational risk management process.
REFERENCES:
Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
(Report and Recommendations)