RBI's Guidelines: An OverviewSummary of the Main Topics Addressed by the New Guidance The Reserve Bank of India issued new guidance in April 2011 for banks to mitigate the risks of use of information technology in banking operations. RBI guidelines are result of the Working Group's recommendations on information security, electronic banking, technology risk management and cyber fraud. The Working Group was formed under the chairmanship of G. Gopalakrishna, the executive director of RBI in April 2010.
The guidance is largely driven by the need for mitigating cyber threats emerging from increasing adoption of IT by commercial banks in India.
Recommendations are made in nine broad areas, including-
- IT Governance: emphasizes the IT risk management accountability on a bank's board of directors and executive management. Focus includes creating an organizational structure and process to ensure that a bank's IT security sustains and extends business strategies and objectives.
- Information Security: maintaining a framework to guide the development of a comprehensive information security program, which includes forming a separate information security function to focus exclusively on information security and risk management, distinct from the activities of an information technology department. These guidelines specify that the chief information security officer needs to report directly to the head of risk management and should not have a direct reporting relationship with the chief information officer.
- IT Operations: specialized organizational capabilities that provide value to customers, including IT service management, infrastructure management, application lifecycle management and IT operations risk framework.
- IT Services Outsourcing: places the ultimate responsibility for outsourcing operations and management of inherent risk in such relationships on the board and senior management. Focus includes effective selection of service provider, monitoring and control of outsourced activities and risk evaluation and management.
- Information Security Audit: the need for banks to re-assess IS audit processes and ensure that they provide an independent and objective view of the extent to which the risks are managed. This topic focuses on defining the roles and responsibilities of the IS audit stakeholders and planning and execution of the audit.
- Cyberfraud: defines the need for an industry wide framework on fraud governance with particular emphasis on tackling electronic channel based frauds. Focus includes creating an organizational structure for fraud risk management and a special committee for monitoring large value fraud.
- Business Continuity Planning: focuses on policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. Also, this topic emphasizes implementing a framework to minimize the operational, financial, legal, reputational and other material consequences arising from such a disaster.
- Customer Education: the need to implement consumer awareness framework and programs on a variety of fraud related issues.
- Legal Issues: defines the need to put effective processes in place to ensure that legal risks arising from cyber laws are identified and addressed at banks. It also focuses on board's consultation with legal department on steps to mitigate business risks within the bank.