RBI Guidelines for Cyber Security Framework

The Reserve Bank of India issued guidelines on Cyber Security Framework back on June 2, 2016 to ensure cyber security preparedness, where it highlighted the need for banks to have a robust cyber security/resilience framework system in place.

To ensure adequate cyber security preparedness among progressively adopting financial institutions in India, the central bank has made it mandatory to all listed banks (private, foreign and nationalized banks), who fall under RBI’s jurisdiction (and private and private sector cooperative banks registered with RBI), to devise distinct cyber-security policies that adhere to their IT (Information Technology) or IS (Information Security) security policies.

The cybersecurity guidelines issued by the RBI reminds us of the need for cyber security to protect consumers personal data and ensure that systems are secure enough to detect, prevent and respond to cyber attacks.

Cyber defense of the banking infrastructure

With the release of the RBI guidelines for cybersecurity, it seems clear that financial institutions in India are being targeted to a much greater degree than when compared to similar institutions in other countries. The fact that these guidelines have been released reaffirms our feelings that there is a far greater need for training and practice when it comes to this sort of thing.

The RBI Guidelines that have been put into place regarding a Cyber Security framework ensures that banks will be better equipped to face any attacks on their online properties by being able to have a formalized and adopted cyber crisis plan.

Including Cyber Crisis and incident response management plans into their existing structure, banking in India would be bolstered in maintaining their reputation through effective handling of crises and growing cyber attacks in Indian financial institutions. 


Need for a Board approved Cyber-security Policy

RBI has a new requirement for banking CISOs in India. They must provide the RBI’s CSITE Cell in Mumbai with a cyber-security policy/report detailing what kinds of plans a business has to increase security to combat cyber threats, in particular areas of interest.

Management/Board Needs to aware of the bank’s threat quotient

Also, security honchos have been asked by the Reserve Bank of India to help them create awareness about how cyberattacks can affect certain institutions. Specifically, they are being requested to discuss the possible ramifications that could be set into motion if banks suffered from cyber-attacks.

3 tiered Structure of RBI  Cyber Security Guideline

3 Annexes of RBI Guidelines on Cyber Security framework: 

There are 3 key domains of the RBI Cyber security framework

Annex 1: Cyber Security and Resilience:

The Annex 1 of RBI Cyber Security Guidelines contains an indicative list of information security requirements and cyber security preparedness that must be followed to ensure that a bank is well protected against cyber-attacks.

  • Inventory Management of Business IT Assets
  • Preventing execution of  unauthorized software
  • Environmental Controls
  • Application Security Life Cycle
  • Data Leak prevention strategy
  • Vulnerability assessment and Penetration Test and Red Team Exercises
  • Incident Response &  Management
  • Risk based transaction  monitoring
  • User / Employee/  Management Awareness
  • Anti-Phishing 
  • Vendor Risk Management
  • Secure mail and messaging systems
  • Advanced Real-time Threat Defense and Management
  • Removable Media

Inventory Management of Business IT Assets

Banks need to keep their business application assets, which include both physical objects like computers and office equipment as well as intangible ones like their banking platform for example, up-to-date. 

This means that banks need to ensure that they have the correct infrastructure and business applications needed to run smoothly.

Preventing execution of  unauthorized software

Banks should understand that software needs to be properly registered in order to function. 

In this sense, financial institutions should keep track of a good inventory of authorized and unauthorized software and computer equipment

Environmental Controls

Banks must ensure that there are adequate computing security systems in place to protect the physical and environmental elements from attacks.

Network Management and Security

Enforce network policies to ensure the security of Urban Cooperative Bank’s LAN, WLAN and website. 

Make sure to log network activity daily. This rule applies to all team members at Urban Cooperative Bank who are responsible for developing or maintaining network hardware or software, including users conducting similar activities in their capacities as owners of the business (when equipment is privately owned).

Application Security Life Cycle

This is where the RBI Cyber security framework talks about adding Security to banking SDLC (Software Development Life Cycle). Setting up a continuous integration pipeline assesses the security of open source dependencies for cloud native banking applications.

RBI has suggested that software developers integrate secure coding principles into their approach when creating new applications for banking transactions. These new programs should also be tested to identify any security considerations before rollout to ensure they don’t turn out to be welcoming zero day attacks on applications.

Secure Configuration

Banks must make sure they document and implement a baseline of security standards for all devices like end-points/workstations, mobile devices, operating systems, databases, applications, network, security devices, and systems, etc.)

User Access Control/Management

RBI recommends Banks should be very selective about granting access to customer data, and any kind of sensitive information that could potentially be exploited for personal gain. 

The RBI has advised all banks in India to grant users with access rights on a need-to-know basis and for a specified period of time when it is necessary instead of granting administrative user rights.

Data Leak prevention strategy

Banks have been given a new prescription from RBI prescribing them a strategy to protect their customer data from potentially falling into the wrong hands. 

The RBI recommends that banks practice prevention strategies tailored to the various stages of data processing (i.e. transmission, storage, and interpretation) in order to make sure customer information is kept confidential at all times.

In order for them to be safer moving forward, they will need to consider all aspects of this plan including the customer’s data in motion, data at rest and data processed on server-side or client-side devices – so what is being interpreted here by the source is often lost when it’s “translated” to a different language.

Maintenance, Monitoring, and Analysis of Audit Logs

RBI Cybersecurity framework recommends that banks should maintain access logs to manage and analyze. Such log files should contain the IP address of the administrators who accessed information, along with the time and date of access. The logs should also include data relevant to the attempt to intrude into the network or system of banks. This way, any unusual activity on a financial institution network can be responded accordingly, understand what transpired (especially if an attack was unsuccessful), and even recover from cyber-attacks if necessary.

Vulnerability assessment and Penetration Test and Red Team Exercises

In order to protect the systems, applications and network from potential security breaks, banks must perform penetration testing/security testing on their systems, applications and network etc. assets on a regular basis.

It helps banks identify any vulnerabilities of an application with the intent to fix them before it can cause harm.

Annex 2: Setting up of Cyber Security Operation Centre (C-SOC)

The Annex 2 of RBI Cyber Security Guidelines suggests setting up a centralised and integrated security operations centre (SOC) for proactive monitoring and detection of cyber events as well as raising alarms, patch management and so on.

This Centre must have the power to detect threats and take corrective action, ensuring continuous surveillance and up-to-date information on cyber threats, using sophisticated tools like IDS, IPS, firewall etc. for detection and quick response.

Annex 3. Cyber Security Incident Reporting (CSIR) 

Scroll to Top