The RBI has come out with a comprehensive guideline related to information technology (IT) governance and controls for banks and NBFCs.
The key focus areas of IT governance will include strategic alignment, risk management, resource management, performance management and business continuity/ disaster recovery management.
In this regard, the RBI has issued the final Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023, which will come into force from April 1, 2024,
“REs (regulated entities) shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment,” the latest directions said.
REs, it further said, should have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency.
“The policy shall, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc,” the RBI said.
It also said that every IT application which can access or affect critical or sensitive information, should have necessary audit and system logging capability and should provide audit trails.
.thumbnailWrapper
width:6.62rem !important;
.alsoReadTitleImage
min-width: 81px !important;
min-height: 81px !important;
.alsoReadMainTitleText
font-size: 14px !important;
line-height: 20px !important;
.alsoReadHeadText
font-size: 24px !important;
line-height: 20px !important;
On cryptographic controls, it said the key length, algorithms, cipher suites, and applicable protocols used in transmission channels, processing of data, and authentication purposes should be strong.
Also, in order to prevent unauthorised modification of data, REs should ensure there is no manual intervention or manual modification in data while it is being transferred from one process to another or from one application to another, in respect of critical applications.
According to the directions, the risk management policy of the RE should include IT-related risks, including cybersecurity-related risks, and the risk management committee of the board (RMCB) should periodically review and update the same at least on a yearly basis.
The central bank further said REs should analyse cyber incidents for their severity, impact and root cause. They should take measures, corrective and preventive, to mitigate the adverse impact of incidents on business operations, it added.
Edited by Megha Reddy