Sunday, May 1, 2011

Implementation Of RBI Recommendation On Information Security

The forming of Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds by Reserve Bank of India (RBI) was a landmark step taken by RBI. Equally impressive was the imposition of penalty upon 19 commercial banks by RBI for non compliance of prescribed standards.

This shows that RBI is not tolerating the causal and non compliance attitude of commercial banks in India. It would be even better if RBI is equally concerned about non compliance of the recommendations regarding adoption of information security related policy and infrastructure.

For instance, the report of working group has recommended that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. Till now these recommendations have not been complied with. Further, Indian banks are also poor at formulating and implementing cyber security policies.

Now the RBI has issued a notification for the implementation of the recommendations of its working group. The group examined various issues arising out of the use of information and communication technology (ICT) in banks and made its recommendations in nine broad areas. These areas are IT Governance, Information Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning, Customer Awareness programmes and Legal aspects.

The report was placed on the RBI website on January 21, 2011. Subsequently, on February 1, 2011, views/comments of all stake-holders and the public at large on the Report were invited. After taking into account various responses, final guidelines in the respective areas as mentioned above are now being issued to banks for implementation.

The guidelines are not “one-size-fits-all” and the implementation of these recommendations need to be risk based and commensurate with the nature and scope of activities engaged by banks and the technology environment prevalent in the bank and the support rendered by technology to the business processes. Banks with extensive leverage of technology to support business processes would be expected to implement all the stipulations outlined in the circular. For example, banks which do not offer transactional facilities in internet banking would not be required to implement specific measures for transactional internet banking facility outlined in the guidelines. Further, various instructions in “IT operations” chapter like detailed configuration management practices may not be necessary for banks that do not develop or maintain critical applications internally, though such practices may be expected from the external vendor providing such services.

The group had endeavored to generate self-contained and comprehensive guidelines. This has resulted in reiteration of certain guidelines already prescribed by RBI, for example, in certain areas relating to information security, outsourcing, BCP and IS Audit. However, there are certain guidelines like the checklist for computer audit prescribed in the year 2002 which on the whole cannot be ignored since the nature of coverage is different. In the event of a direct conflict with an earlier guideline, the new guideline would be the basis for implementation by banks. Else, the relevant guidelines prescribed earlier would be an adjunct to the present guidelines issued herewith. It would be the endeavor of RBI to develop the enclosed guidelines as a Master Circular incorporating relevant old and new circulars on related subject areas in due course. In the event of any further clarifications in the matter, banks may approach RBI for further guidance.

The Group’s report was largely technology neutral except in exceptional circumstances where a specific technology/methodology may be suggested due to legal reasons or for enhanced security or for illustrative purpose. It is clarified that except where legally required, banks may consider any other equivalent/better and robust technology/methodology based on new developments after carrying out a diligent evaluation exercise.

Banks may have already implemented or implementing some or many of the requirements indicated in the circular. In order to provide focused project oriented approach towards implementation of guidelines, banks would be required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines. However, banks need to ensure implementation of basic organizational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular. There are also a few provisions which are recommendatory in nature, implementations of which are left to the discretion of banks.

Given the fact the guidelines are fundamentally expected to enhance safety, security, efficiency in banking processes leading to benefits for banks and their customers, the progress in implementation of recommendations may be monitored by the top management on an ongoing basis and a review of the implementation status may be put up to the Board at quarterly intervals. Banks may also incorporate in their Annual Report from 2011-12 onwards broadly the measures taken in respect of various subject areas indicated in these guidelines.

The measures suggested for implementation cannot be static. Banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns. Reserve Bank of India would review the progress in implementation of the guidelines in its Quarterly Discussions with banks and would examine comprehensively the efficacy of implementation of the guidelines commensurate with nature and scope of operations of individual banks from the next AFI cycle (for the period 2011-12) onwards.