24
THE RBI GUIDELINES A Brief Summary of the RBI Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds Contact us to know more about how our consultants can help your organization address these guidelines: Network Intelligence India Pvt. Ltd. Email: [email protected] Web: www.niiconsulting.com

RBI Guidelines Summary

Tags:

Embed Size (px)

DESCRIPTION

ITIL

Citation preview

THE RBI GUIDELINES A Brief Summary of the RBI Guidelines on Information security, Electronic Banking,Technology risk management and cyber frauds Contact us to know more about how our consultants can help your organization address these guidelines: Network Intelligence India Pvt. Ltd. Email: [email protected]: www.niiconsulting.comTHE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 1 TABLE OF CONTENTS Contents INTENDED AUDIENCE .............................................................................................................................................................. 3 EXECUTIVE SUMMARY............................................................................................................................................................. 3 INTRODUCTION ....................................................................................................................................................................... 4 CHAPTER 1: IT GOVERNANCE .................................................................................................................................................. 6 Introduction ......................................................................................................................................................................... 6 Roles and Responsibilities and Organizational Framework ................................................................................................ 6 Focus Areas for IT Governance:........................................................................................................................................... 6 Policies and Procedures ...................................................................................................................................................... 6 CHAPTER 2 INFORMATION SECURITY ................................................................................................................................... 7 Introduction ......................................................................................................................................................................... 7 Roles & Responsibilities and organization framework: ....................................................................................................... 8 Critical components of information security ...................................................................................................................... 8 CHAPTER 3: IT OPERATIONS .................................................................................................................................................. 11 Introduction ....................................................................................................................................................................... 11 Roles & Responsibilities and Organization Framework: ................................................................................................... 11 Components of IT operations framework ......................................................................................................................... 11 CHAPTER 4 IT SERVICES OUTSOURCING ............................................................................................................................. 12 Introduction ....................................................................................................................................................................... 12 Roles & Responsibilities and Organization Structure: ....................................................................................................... 12 Various components/aspects relating to outsourcing ...................................................................................................... 12 CHAPTER 5: IS AUDIT ............................................................................................................................................................. 14 Roles & Responsibilities and Organization Framework: ................................................................................................... 14 Critical Components and Processes .................................................................................................................................. 14 CHAPTER 6 CYBER FRAUD................................................................................................................................................... 16 Introduction ....................................................................................................................................................................... 16 1. Roles/Responsibilities and Organizational structure .................................................................................................... 16 THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 2 Components of fraud risk management: .......................................................................................................................... 16 CHAPTER 7: BUSINESS CONTINUITY PLANNING .................................................................................................................... 18 Introduction ....................................................................................................................................................................... 18 1. Roles, Responsibilities and Organizational structure .................................................................................................... 18 Critical Components of Business Continuity Management Framework ........................................................................... 18 CHAPTER 8- CUSTOMER EDUCATION .................................................................................................................................... 20 Introduction ....................................................................................................................................................................... 20 Roles and Responsibility: ................................................................................................................................................... 20 Organization Structure: ..................................................................................................................................................... 20 Key Recommendations: ..................................................................................................................................................... 20 CHAPTER 9: LEGAL ISSUES ..................................................................................................................................................... 22 Introduction ....................................................................................................................................................................... 22 Roles and Responsibilities and Organizational Structure .................................................................................................. 22 Key Recommendations: ..................................................................................................................................................... 22 REFERENCES: ......................................................................................................................................................................... 23 THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 3 INTENDED AUDIENCE The RBIguideline is useful for all banks and financial institutions incorporating IT operations and support to meet their business objectives. The guidelines are important to be complied and followed sincerely so as to maintain the trust level of the customer by assuring the security of their information residing with these financial institutions. The guidelines can also be used by advisory & auditing firms for consulting and audit purpose. EXECUTIVE SUMMARY IntodaysIndianscenario,bankingsectorsarerapidlyutilizingITservicesfortheiroperations.Automationofvarious processesnodoubthasgivenlotsofadvantagestothesebankingandfinancialinstitutions,buthasgivenrisetomany risks as well. Technologyrisksnotonlyhaveadirectimpactonabankasoperationalrisksbutcanalsoexacerbateotherriskslike creditrisksandmarketrisks.Giventheincreasingrelianceofcustomersonelectronicdeliverychannelstoconduct transactions,anysecurityrelatedissueshavethepotentialtounderminepublicconfidenceintheuseofe-banking channels and lead to reputation risks to the banks.Inadequate technology implementation can also induce strategic risk in terms of strategic decision making based on inaccurate data/information. Compliance risk is also an outcome in the event ofnon-adherencetoanyregulatoryorlegalrequirementsarisingoutoftheuseofIT.Theseissuesultimatelyhavethe potential to impact the safety and soundness of a bank and in extreme cases may lead to systemic crisis. Keepinginviewthechangingthreatmilieuandthelatestinternationalstandards,itwasfeltthattherewasaneedto enhance RBI guidelines relating to the governance of IT, information security measures to tackle cyber fraud apart from enhancingindependentassuranceabouttheeffectivenessofITcontrols.Toconsidertheseandrelatedissues,RBI announced the creation of a Working Group on Information Security, Electronic Banking, Technology Risk Management andTacklingCyberFraudinApril,2010.TheGroupwassetupundertheChairmanshipoftheExecutiveDirector Shri.G.Gopalakrishna. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 4 INTRODUCTION LookingattheITchallengesandinformationsecurityconcernstoday,RBIintroducedguidelinestoenhancethe governanceofITandinstituterobustinformationsecuritymeasuresintheIndianbankingsector.Followingwerethe major reasons for introducing the guidelines for the bank: Informationtechnology(IT)riskassessmentandmanagementwasrequiredtobemadeapartoftherisk management framework of a bank Internal audits/information system audits needed to independently provide assurance that IT-related processes and controls were working as intended. Given the instances of cyber fraud in banks recently, it was necessary toimprove controls and examine the need for pro-active fraud risk assessments and management processes in commercial banks. Withtheincreaseintransactionsinelectronicmode,itwasalsocriticaltoexaminethelegalimplicationsfor banks arising out of cyber laws and steps that were required to be taken to suitably mitigate the legal risks. Takingintoaccounttheabovementionedissues,creationofaWorkingGrouponInformationSecurity,Electronic Banking, Technology Risk Management and Tackling Cyber Fraud took place. This working group was formed with the following vision to: undertakeacomprehensiveassessmentofextantITande-bankingrelatedguidelinesvis--visinternational guidelines/best practices and suggest suitable recommendationssuggestrecommendationswithrespecttoinformationsecurityinordertocomprehensivelyprovideforabroad framework to mitigate present internal and external threats to banksProviderecommendationsforeffectiveandcomprehensiveInformationSystemsAuditrelatedprocessesto provide assurance on the level of IT risks in banksSuggest scope for enhancement of measures against cyber fraud through preventive and detective mechanisms as part of the fraud risk management framework in banksIdentify measures to improve business continuity and disaster recovery related processes in banks Assesstheimpactoflegalrisksarisingoutofcyberlaws,theneedforanyspecificlegislationrelatingtodata protection and privacy and whether there is an Indian equivalent of the Electronic Fund Transfer Act in the USConsider scope to enhance customer education measures relating to cyber fraudTheworkinggroupdecidedtoaddressITissuesacrossmultipledimensionsarisingoutoftheuseofITandprovide recommendationsintheseareas.Thesedimensionsandprovidedrecommendationswereelaboratedinthefollowing9 chapters of the guideline THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 5 Chapter 1 - Information Technology Governance Chapter 6- Cyber frauds Chapter 2 Information SecurityChapter 7- Business Continuity Planning Chapter 3 IT operations Chapter 8 - Customer education Chapter 4 IT services outsourcingChapter 9- Legal issues Chapter 5 IS Audit Thereportfurtherisdividedintodifferentchaptersandeachchaptercontainsintroduction,associatedrolesand responsibilitiesandthedesiredcontrolrecommendationsfromtheRBIforbankstoimplementmandatorily.The recommendationsarenotone-size-fits-allandtheimplementationoftheserecommendationsneedtobebasedonthe natureandscopeofactivitiesengagedbybanksandthetechnologyenvironmentprevalentinthebankandthesupport rendered by technology to the business processes. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 6 CHAPTER 1: IT GOVERNANCE Introduction ITGovernanceisanintegralpartofthecorporategovernanceinvolvesleadershipsupport,organizationalstructureand processestoensure that abanksIT sustainsandextends business strategies and objectives.EffectiveIT Governanceis the responsibility of the Board of Directors and Executive Management. Roles and Responsibilities and Organizational Framework SNo.Roles & ResponsibilitiesResponsibility Description (i)Board of Directors/ IT Strategy Committee ApprovingITstrategyandpolicydocuments,EnsuringthattheIT organizational structure complements the business model and its direction etc.(ii)Risk Management CommitteePromotinganenterpriseriskmanagementcompetencethroughoutthebank, includingfacilitatingdevelopmentofIT-relatedenterpriseriskmanagement expertise (iii)Executive Management LevelAmongexecutives,theresponsibilityofSeniorexecutiveinchargeofIT operations/ChiefInformationofficer(CIO)istoensureimplementationfrom policytooperationallevelinvolvingITstrategy,valuedelivery,risk management, IT resource and performance management. (iv)IT Steering CommitteeIts role is to assist the Executive Management in implementing IT strategy that hasbeenapprovedbytheBoard.AnITSteeringCommitteeneedstobe created with representatives from the IT, HR, legal and business sectors. Focus Areas for IT Governance:Areas of IT Governance that need to be considered include strategic alignment, value delivery, risk management, resource management and performance management. Policies and Procedures (a) The bank needs to have IT-related strategy and policies (b) IT strategy and policy needs to be approved by the Board(c) Detailed operational procedures may be formulated in relevant areas including for data center operations (d)Abankneedstofollowastructuredapproachforthelong-rangeplanningprocessconsideringfactorssuchas organizationalmodelandchangestoit,geographicaldistribution,technologicalevolution,costs,legalandregulatory requirements,requirements of third-parties or market, planning horizon, businessprocess re-engineering, staffing, in-or outsourcing, etc. (e) Thereneeds to bean annual review of IT strategy andpolicies taking into account the changes to the organizations business plans and IT environmentTHE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 7 (h) Banks need to establish and maintain an enterprise architecture framework or enterprise information model to enable applications development and decision-supporting activities, consistent with IT strategy.(i) There is also a need to maintain an enterprise data dictionary that incorporates the organizations datasyntax rules. (j)Banksneedtoestablishaclassificationschemethatappliesthroughouttheenterprise,basedonthecriticalityand sensitivity (e.g. public, confidential, or top secret) of enterprise data. (k) There is a need for a CIO in bank. He has to be the key business player and a part of the executive decision-making function. His key role would be to be the owner of IT functions: enabling business and technology alignment. (l)Bank-wideriskmanagementpolicyoroperationalriskmanagementpolicyneedstobeincorporateIT-relatedrisks also. The Risk Management Committee periodically reviews and updates the same (at least annually). CHAPTER 2 INFORMATION SECURITY Introduction ThissectionaddressessecurityofConfidentiality,Integrityandavailabilityoftheinformation.Itnotonlydealswith informationinvariouschannelslikespoken,written,printed,electronicoranyothermediumbutalsoinformation handling in terms of creation, viewing, transportation, storage or destruction Toachieveeffectiveinformationsecuritygovernance,bankmanagementmustestablishandmaintainaframeworkto guide the development and maintenance of a comprehensive information security programme. Information Security Governance deals with following: Alignment of information security with business strategy to support organizational objectivesManagement and mitigation of risks and reduction of potential impacts on information resources to an acceptable levelManagement of performance of information security by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved Optimization of information security investments in support of organizational objectives THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 8 Roles & Responsibilities and organization framework: SNo.Roles & ResponsibilitiesResponsibility Description (i)BoardsofDirectors/Senior Management TheBoardofDirectorsisultimatelyresponsibleforinformationsecurity. Senior Management is responsible for understanding risks to the bank to ensure that they are adequately addressed from a governance perspective. (ii)Information Security Team/Function Banksshouldformaseparateinformationsecurityfunction/grouptofocus exclusively on information security management. (iii)Information Security Committee Includesbusinessheadsfromdifferentunitsandareresponsibleforenforcing companywide policies & procedures. (iv)ChiefInformationSecurity Officer (CISO) Asufficientlyseniorlevel officialoftherankofGM/DGM/AGMneedstobe designatedastheChiefInformationSecurityOfficer(CISO)responsiblefor articulating and enforcing the policies that a bank uses to protect its information assets. The CISO needs to report directly to the Head of the RiskManagement function and should not have a direct reporting relationship with the CIO. Critical components of information security SNo.ComponentsDescription 1Policies and procedures:A Board approved Information security policy needs to be in place and reviewed at least annually. 2Risk AssessmentTheriskassessmentmust,foreachassetwithinitsscope,identifythethreat/ vulnerabilitycombinationsthathavealikelihoodofimpactingtheconfidentiality availabilityorintegrityofthatasset-fromabusiness,complianceand/or contractual perspective. 3Inventory and information/data classification Maintainingdetailedinventoryofinformationassetsandclassificationof information/dataareamongthekeycomponentsofinformationsecurity management. 4Defining roles and responsibilities Managementcancommunicategeneralandspecificsecurityrolesand responsibilitiesforallemployeesbasedontheirjobdescriptions.Management shouldexpectallemployees,officers,andcontractorstocomplywithinformation security and/or acceptable-use policies and protect the institutions assets, including information. 5Access ControlBanksneedtograntauthorizationforaccesstoinformationassetsonlywherea valid business need exists and only for a definite time period for which the access is required 6Informationsecurityand information asset life-cycle Informationsecurityneedstobeconsideredatallstagesofaninformationassets (likehardware,software)life-cyclewhichtypicallyincludes:planninganddesign; acquisitionandimplementation;maintenanceandsupport;anddisposalsoasto minimize exposure to vulnerabilities. 7Personnel securityBanksshouldhaveaprocessinplacetoverifyjobapplicationinformationonall newemployees.Thesensitivityofaparticularjoboraccesslevelmaywarrant additional background and credit checks. 8Physical securityBanksshouldimplementsuitablephysicalandenvironmentcontrolstakinginto considerationthreats,andbasedontheentitysuniquegeographicallocation, THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 9 building configuration, neighboring entities, etc. 9User Training and Awareness Thereisavitalneedforinitial,andongoing,training/awarenessprogramson information security for employees and vendor personnel. 10Incident managementArobustincidentmanagementprocessneedstobeinplacetomaintainthe capabilitytomanageincidentswithinanenterprise,toenablecontainmentof exposures and to achieve recovery within a specified time period. 11ApplicationControland Security There should be documented standards/procedures for administering an application system, which are approved by the application owner and kept up-to-date. Access to theapplicationshouldbebasedontheprincipleofleastprivilegeandneedto know commensurate with the job responsibilities 12Migration controlsThereneedstobeadocumentedMigrationPolicyindicatingtherequirementof road-map/migrationplan/methodologyfordatamigration(whichincludes verification of completeness, consistency and integrity of the migration activity and preandpostmigrationactivitiesalongwithresponsibilitiesandtimelinesfor completion of same). 13Implementationofnew technologies Banksneedtocarryoutduediligencewithregardtonewtechnologies/systems since they can potentially introduce additional risk exposures 14EncryptionBanksshouldonlyselectencryptionalgorithmswhicharewellestablished internationalstandardsandwhichhavebeensubjectedtorigorousscrutinybyan internationalcommunityofcryptographersorapprovedbyauthoritative professional bodies, reputable security vendors or government agencies. 15Data securityDatasecuritymeasuresneedtobeinplace.Banksneedtodefineandimplement procedurestoensuretheintegrityandconsistencyofallcriticaldatastoredin electronic form, such as databases, data warehouses and data archives. 16Vulnerability AssessmentBanksneedtoscanfrequentlyforvulnerabilitiesandaddressdiscoveredflaws proactively to avoid the likelihood of having their computer systems compromised. 17Establishing on-going security monitoring processes Banks need to have monitoring processes in place to identify suspicious events and unusual behavioral patterns that could impact the security of IT assets. 18Security measures against Malware Robustprocessneedstobeinplaceforeffectivemalwarecontrol.Thecontrols are of the preventive and detective/corrective in nature. 19Patch ManagementA Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising. 20Change ManagementThe change management process should be documented, and include approving and testing changes to ensure that they do not compromise security controls, performing changesandsigningthemofftoensuretheyaremadecorrectlyandsecurely, reviewingcompletedchangestoensurethatnounauthorizedchangeshavebeen made. 21Audit TrailsBanksneedstoensurethataudittrailsexistforITassetssatisfyingthebanks businessrequirementsincludingregulatoryandlegalrequirements,facilitating audit,servingasforensicevidencewhenrequiredandassistingindispute resolution. 22InformationSecurity reporting and metrics Tomeasuretheperformanceandcontinuousimprovementforeffective implementation of information security practices matrices are used. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 10 23Information security and Critical service providers/vendors Therelationshipbetweentheenterpriseandathird-partyprovidershouldbe documentedintheformofanexecutedcontract.Thevariousdetailsand requirements on the matter are covered under chapter on IT outsourcing. 24Network SecurityVarious network security measures should be incorporated25Remote AccessStrong controls need to be initiated against any remote access facility 26Distributed Denial of service attacks (DDoS/DoS) As part of the defense strategy, banks should install and configure network security devices for reasonable preventive/detective capability. 27 Implementation of ISO 27001 Information Security Management System CommercialbanksshouldimplementISO27001basedInformationSecurity Management System (ISMS) best practices for their critical functions. 28Wireless SecurityEnterprise security solutions for wireless should be incorporated. 29Business Continuity Considerations Risk assessments should consider the changing risks that appear inbusinesscontinuityscenariosanddifferentsecurityposturesthatmayneedtobe established. 30Information security assurance Informationsecurityassuranceneedstobeobtainedthroughperiodicpenetration testing exercises, audits and vulnerability assessments. 31General information regarding delivery channels ProvisionofvariouselectronicbankingchannelslikeATM/debitcards/internet banking/phone banking should be issued only at the option of the customers based onspecificwrittenorauthenticatedelectronicrequisitionalongwithapositive acknowledgement of the terms and conditions from the customer. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 11 CHAPTER 3: IT OPERATIONS Introduction Forbanksinwhich informationtechnology (IT) systemsareused to manageinformation, IT Operationsshould support processingandstorageofinformation,suchthattherequiredinformationisavailableinatimely,reliable,secureand resilientmanner.FunctionscoveredasapartofITOperationsshouldbeITServiceManagement,Infrastructure Management, Application Lifecycle Management, and IT Operations Risk Framework Roles & Responsibilities and Organization Framework: SNo.Roles & ResponsibilitiesResponsibility Description (i)Service DeskResponsible for providing IT related services (ii)IT Operations ManagementIToperationsincludebusinessserviceswhichareavailabletotheinternalor externalcustomersoftheorganizationusingITasaservicedeliverycomponent for eg. Mobile Banking and Internet Banking (iii)Application ManagementIt involves handling andmanagement of application asit goesthrough the entire life-cycle. (iv)Infrastructure ManagementManagement of the entire infrastructure Components of IT operations framework SNo.ComponentDescription ARisk ManagementAspartofriskidentificationandassessment,banksshouldidentifyeventsor activities that could disrupt operations or negatively affect reputation or earnings and assess compliance to regulatory requirements. BIT Operations Processes (i)IT StrategyAwell-definedITstrategyframeworkwillassistIToperationsinsupportingIT services as required by the business and defined in SLAs. (ii)DesignThecomponentswhichshouldbeconsideredwhendesigninganewITserviceor making a change to the existing IT service include business processes, service level agreements, IT infrastructure, IT environment etc. (iii)TransitionThetransitionphaseprovidesframeworksandprocessesthatmaybeutilizedby banks to: Evaluate service capabilities and risk profile of new or changes service before it is released into production environmentEvaluateandmaintainintegrityofallidentifiedserviceassetsandconfiguration items required to support the service (iv)OperationThe various aspects that banks need to consider include event management, incident management, problem management and access management. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 12 CHAPTER 4 IT SERVICES OUTSOURCING Introduction Outsourcing may be defined as a bank's use of a third party to perform activities on a continuing basis. The benefits of outsourcing include efficiencies in operations, increased ability to acquire and support current technology and tide over the risk of obsolescence, increased time availability for management to focus on key management functions, shorter lead time in delivering services to customers, better quality of services, and stronger controls among others. NOTE:RBIguidelines on outsourcing indicateactivities which cannot be outsourcedand needto becarried out bythe bank.TheseincludeInternalAudit,Compliancefunction,anddecisionmakingfunctionslikeKYCcompliance,loans sanctioning, and managing investment portfolio. Roles & Responsibilities and Organization Structure: The Board and senior management are ultimately responsible for outsourced operations and for managing risks inherent in suchoutsourcingrelationships.Responsibilitiesforduediligence,oversightandmanagementofoutsourcingand accountability for all outsourcing decisions continue to rest with the bank, Board and senior management. Various components/aspects relating to outsourcing SNo.ComponentDescription 1Material Outsourcing Banksneedtoassessthedegreeofmaterialityinherentintheoutsourcedfunctions. Outsourcing of non-financial processes, such as technology operations, is material and if disrupted, has the potential to significantly impact business operations, reputation andstability of a Bank. 2RiskManagementin outsourcing arrangements Riskevaluationshouldbeperformedpriortoenteringintoanoutsourcingagreement andreviewedperiodicallyinlightofknownandexpectedchanges,aspartofthe strategic planning or review process. (i)RiskEvaluationand Measurement Riskevaluationshouldbeperformedpriortoenteringintoanoutsourcingagreement andreviewedperiodicallyinthelightofknownandexpectedchanges,aspartofthe strategic planning or review processes. (ii)ServiceProvider Selection Managementshouldidentifyfunctionstobeoutsourcedalongwithnecessarycontrols andsolicit responsesfromprospectivebiddersviaanRFPprocess.Whilenegotiating/ renewinganoutsourcingarrangement,appropriatediligenceshouldbeperformedto assessthecapabilityofthetechnologyserviceprovidertocomplywithobligationsin theoutsourcingagreement.Duediligenceshouldinvolveanevaluationofall informationabouttheserviceproviderincludingqualitative,quantitative,financial, operational and reputational factors. (iii)ContractingThetermsandconditionsgoverningthecontractbetweenthebankandtheservice providershouldbecarefullydefinedinwrittenagreementsandvettedbythebank's legal counsel on their legal effect and enforceability. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 13 (iv)Monitoringand Control of outsourced activities Banks should establish a structure for management and control of outsourcing, basedonthenature,scope,complexityandinherentriskoftheoutsourced activity. Banksshouldalsoperiodicallycommissionindependentauditandexpert assessmentsonthesecurityandcontrolenvironmentoftheserviceprovider. The evaluation can be done based on performance matrices. (V)Confidentialityand Security Banks should be proactive to identify and specify the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data. (vi)Outsourcingto ForeignService providers Outsourcing outside India should be agreed, in a manner that does not obstruct or hinder theabilityofthebankorregulatoryauthoritiestoperformperiodicaudits/inspections and assessments, supervise or reconstruct activities of the bank based on books, records and necessary documentation, in a timely manner. (vii)Outsourcingwithina Group Duediligenceonanintra-groupserviceprovidermaytaketheformofevaluating qualitative aspects on the ability of the service provider to address risks specific to the institution,particularlythoserelatingtobusinesscontinuitymanagement,monitoring andcontrol,andauditandinspection, includingconfirmationontherightofaccessto beprovided to RBI to retain effectivesupervision over theinstitution, and compliance with local regulatory standards.(viii)Handlingcustomer grievancesand complaints Generally,atimelimitof 30daysmaybegiventothecustomersforforwardingtheir complaints/grievances.Thegrievanceredressalprocedureofthebankandthetime frame fixed for responding to the complaints should be placed on the bank's website. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 14 CHAPTER 5: IS AUDIT The chapter includes audit charter/policy. Also it includes various stages like planning, execution, Reporting and Follow-up and quality review of an IS audit. Roles & Responsibilities and Organization Framework: S No.Roles & Responsibilities Responsibility description 1BoardofDirectorsandSenior Management Tomeettheresponsibilitytoprovideanindependentauditfunctionwith sufficientresourcestoensureadequateITcoverage,theboardofdirectorsor its audit committeeshould provide an internal audit function which is capable of evaluating IT controls adequately. 2Audit Committee of the BoardThe Audit Committee should devote appropriate and sufficient time to IS audit findingsidentifiedduringISAuditsandmembersoftheAuditCommittee would need to reviewcriticalissueshighlightedandprovideappropriateguidancetothebanks management. 3InternalAudit/Information System Audit function BanksshouldhaveaseparateISAuditfunctionwithintheInternalAudit departmentledbyanISAuditHead,assumingresponsibilityand accountability of the IS audit function,reporting to the Chief Audit Executive (CAE) or Head of Internal Audit. Critical Components and Processes S No.ComponentDescription (i)IS AuditBecausetheISAuditisanintegralpartoftheInternalAuditors,auditorswillalsobe required to be independent, competent and exercise due professional care. (ii)Outsourcingrelating to IS Audit Riskevaluationshouldbeperformedpriortoenteringintoanoutsourcingagreement andreviewedperiodicallyinlightofknownandexpectedchanges,aspartofthe strategic planning or review process. 2AuditCharter,Audit PolicytoincludeIS Audit An Audit Charter / Audit Policy is a document which guides and directs the activities of theInternalAuditfunction.ISAudit,beinganintegralpartoftheInternalAudit function,shouldalsobegovernedbythesameAuditCharter/AuditPolicy.The document should be approved by the Board of Directors. IS Audit policy/charter should be subjected to an annual review to ensure its continued relevance and effectiveness. 3Planning an IS AuditBanksneed to carry out IS Audit planning using the Risk BasedAuditApproach. The approachinvolvesaspectslikeITriskassessmentmethodology,definingtheISAudit Universe, scoping and planning the audit, execution and follow up activities. 4Executing IS AuditDuringaudit,auditorsshouldobtainevidences,performtestprocedures,appropriately document findings, and conclude a report.6Reporting and Follow up Thisphase involves reporting audit findings to theCAE andAudit Committee. Before reportingthefindings,itisimperativethatISAuditorsprepareanauditsummary memorandum providing overview of the entire audit processing from planning to audit findings. 7Quality ReviewItistoassessauditqualitybyreviewingdocumentation,ensuringappropriate THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 15 supervision of IS Audit membersand assessing whether IS Audit membershave taken due care while performing their duties. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 16 CHAPTER 6 CYBER FRAUD Introduction Fraud can be defined as A deliberate act of omission or commission by any person, carried out in the course of a banking transaction or in the books of accounts maintained manually or under computer system in banks, resulting into wrongful gain to any person for a temporary period or otherwise, with or without any monetary loss to the bank. 1. Roles/Responsibilities and Organizational structureSNo.Roles & Responsibilities Responsibility description (a)CEO,AuditCommitteeofthe Board Indian banks follow the RBI guideline of reporting all frauds above 1 crore to their respective Audit Committee of the Board. (b)Special Committee of the Board formonitoringlargevalue frauds Banks are required to constitute a special committee for monitoring and follow upofcasesoffraudsinvolvingamountsof1croreandaboveexclusively, whiletheAuditCommitteeoftheBoard(ACB)maycontinuetomonitorall the cases of frauds in general. (c)Separate Department to manage frauds Theactivitiesoffraudprevention,monitoring,investigation,reportingand awareness creation should be owned and carried out by an independentgroup in the bank. (d)Fraud review councilsThe council should comprise of head of the business,headofthefraudriskmanagementdepartment,theheadofoperations supportingthatparticularbusinessfunctionandtheheadofinformation technology supporting that business function. Components of fraud risk management: SNoComponentDescription (i)Fraudprevention practices Variousfraudpreventionpracticesneedtobefollowedbybanks.Theseincludefraud vulnerability assessments(for businessfunctionsand also delivery channels), review of newproductsandprocesses,puttinginplacefraudlosslimits,rootcauseanalysisfor actual fraud cases aboveRs.10 lakhs,reviewing cases where a uniquemodusoperandi is involved, ensuring adequate data/information security measures, following KYC and Knowyouremployee/vendorprocedures,ensuringadequatephysicalsecurity,sharing ofbestpracticesoffraudpreventionandcreationoffraudawarenessamongstaffand customers. (ii)Fraud detectionQuick fraud detection capability would enable a bank to reduce losses and also serve as adeterrenttofraudsters.Variousimportantrequirementsrecommendedinthisregard includesettingupatransactionmonitoringgroupwithinthefraudriskmanagement group,alertgenerationandredressalmechanisms,dedicatede-mailidandphone number for reporting suspected frauds, mystery shopping and reviews. (iii)Fraud investigationTheexaminationofasuspectedfraudoranexceptionaltransactionoracustomer dispute/alert in a bank shall be undertakenby Fraud risk management group & special committee. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 17 (iv)Reporting of fraudsAs per the guidelines on reporting of frauds as indicated in the RBI circular, dated July 1,2010,fraudreportsshouldbesubmittedinallcasesoffraudof1lakhandabove perpetratedthroughmisrepresentation,breachoftrust,manipulationofbooksof account,fraudulentencashmentofinstrumentslikecheques,draftsandbillsof exchange,unauthorizedhandlingofsecuritieschargedtothebank,misfeasance, embezzlement,misappropriationoffunds,conversionofproperty,cheating,shortages, irregularities, etc. (v)Customerawareness on frauds Banksshould thus aim at continuously educating its customers and solicit their participation invarious preventive/detective measures. (vi)Employeeawareness and training Employeeawarenessiscrucialtofraudprevention.Trainingonfraudprevention practices should be provided by the fraud risk management group at various forums. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 18 CHAPTER 7: BUSINESS CONTINUITY PLANNING Introduction BCP forms a part of an organization's overall Business Continuity Management (BCM) plan, which is the preparedness ofanorganization,which includes policies, standardsandproceduresto ensure continuity, resumption and recovery of critical business processes, at an agreed level and limit the impact of the disaster on people, processes and infrastructure (includesIT);or tominimizetheoperational, financial, legal, reputational and other material consequences arising from such a disaster. 1. Roles, Responsibilities and Organizational structure SNo.Roles & Responsibilities Responsibility description (a)BoardofDirectorsandSenior Management Indian banks follow the RBI guideline of reporting all frauds above 1 crore to their respective Audit Committee of the Board. 1.1.BCPHeadorBusiness Continuity Coordinator AseniorofficialneedstobedesignatedastheHeadofBCPactivityor function 1.2.BCPCommitteeorCrisis Management Team Present in each department to implement BCP department wise. 1.3BCP TeamsThere needs to be adequate teams for various aspects of BCP at central office, as well as individual controlling offices or at a branch level, as required. Critical Components of Business Continuity Management Framework SNoComponentDescription 2.1BCP MethodologyBanksshouldconsidervariousBCPmethodologiesandstandards,likeBS25999,as inputs for their BCP framework. 2.3KeyFactorstobe consideredforBCP Design Following factors should be considered while designing the BCP: Probability of unplanned events, including natural or man-made disasters, earthquakes, fire, hurricanes or bio-chemical disaster Security threats Increasing infrastructure and application interdependencies Regulatory and compliance requirements, which are growing increasingly complex Failure of key third party arrangements Globalization and the challenges of operating in multiple countries. 3Testing a BCPBanks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP should include all aspects and constituents of a bank i.e. people, processes and resources (including technology). Banks should consider having unplanned BCP drill, Banks should involve their Internal Auditors(includingISAuditors)toaudittheeffectivenessofBCPetc.Variousother techniques shall be used for testing the effectiveness of BCP. 4MaintenanceandRe-assessment of Plans BCPsshouldbemaintainedbyannualreviewsandupdatestoensuretheircontinued effectiveness. Changes should follow the banks formal change management process in THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 19 place for its policy or procedure documents. A copy of the BCP, approved by the Board, should be forwarded for perusal to the RBI on an annual basis. 5Proceduralaspectsof BCP Banksshouldalsoconsidertheneedtoputinplacenecessarybackupsitesfortheir criticalpaymentsystemswhichinteractwiththesystemsattheDatacentersofthe Reserve Bank. 6Infrastructural aspects of BCP Banks should consider paying special attention to availability of basic amenities such as electricity, water and first-aid box in all offices. 7HumanAspectof BCP Banksmustconsidertrainingmorethanoneindividualstaffforspecificcriticaljobs, Theymustconsidercross-trainingemployeesforcriticalfunctionsanddocument-operating procedures. 8Technologyaspects of BCP Applications and services in banking system which are highly mission critical in nature andthereforerequireshighavailability,andfaulttolerancetobeconsideredwhile designing and implementing the solution. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 20 CHAPTER 8- CUSTOMER EDUCATION Introduction Banks regularly run campaigns to raise consumer awareness on a variety of fraud related issues. However, to generate a standardunderstandingoftheevolvingfraudscenarios,acombinedeffortcouldproliferatetheinformationtoalarger customerbase.Itisalsoimportanttoeducatetheotherstakeholders,includingbankemployees,whocanthenactas resourcepersonsforcustomerqueries,lawenforcementpersonnelformoreunderstandingresponsetocustomer complaints and media for dissemination of accurate and timely information. Roles and Responsibility: TheBoardofDirectors/SeniorManagementneedtobecommittedtotheprocessofconsumereducationinitiativesby providingadequateresources,evaluatingtheeffectivenessoftheprocessandfine-tuningandimprovingcustomer education measures on an ongoing basis. Organization Structure: SNo.Roles & Responsibilities Responsibility description 2Working groupTogetdesiredsupportfortheprogramme,itisimportanttoidentifyand involvekeystakeholdersindecision-making,planning,implementationand evaluation. Key Recommendations: Banksneedtofollowasystematicprocesstodevelopanawarenessprogrammethroughthestagesofplanning and design, execution and management, and evaluation and course correction. Awarenessprogramsshouldbecustomizedforthespecificaudiencelikebankcustomers,employees,law enforcement personnel, fraud risk professionals, media partners, etc.Buildingconsensusamongdecisionmakersandstakeholdersforfinancialandadministrativesupportisan important step in the programme. In this respect, both fixed and variable costs need to be identified. Since the target groups obtain information from a variety of sources, more than one communication channel could be used to engage them successfully. Aresearchgroupshouldbeformedtocontinuallyupdatethecommunicationsteamwiththelatesttrendsand evolving modus operandi. Evaluation of the effects of various campaigns for specific target groups can be measured through qualitative (e.g. focus groups, interviews) and/ or quantitative (e.g. questionnaires, omnibus surveys) research. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 21 Attheindustrylevel,eachbankshouldhaveadocumentedpolicy,trainingmechanismsandresearchunits. Material can be pooled from these units to be used on a larger platform towards a common goal. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 22 CHAPTER 9: LEGAL ISSUES Introduction There are various legal laws and requirements with which the banks are supposed to comply with. It is critical that impact of cyber laws like IT ACT 2008 is taken into consideration by banks to obviate any risk arising there from. Roles and Responsibilities and Organizational Structure SNo.Roles & Responsibilities Responsibility description (i)BoardThe Risk Management Committee at the Board-level needs to put in place, the processesto ensure that legal risksarising from cyber laws areidentifiedand addressed. It also needs to ensure that the concerned functions areadequately staffed and that the human resources are trained to carry out the relevant tasks in this regard (ii)Operational Risk GroupThisgroupneedstoincorporatelegalrisksaspartofoperationalrisk framework and take steps to mitigate the risks involved in consultation with its legal functions within the bank. (iii)Legal DepartmentThe legal function within the bank needs to advise the business groups on the legalissuesarisingoutofuseofInformationTechnologywithrespecttothe legal riskidentified and referred to it by the Operational Risk Group. Key Recommendations: Legalriskandoperationalriskaresame.Mostrisksaresoughttobecoveredbydocumentation,particularly where the law is silent. Legal risks need to be incorporated as part of operational risks and the position need to be periodically communicated to the top management and Board/Risk Management Committee of the Board. As the law on data protection and privacy, in the Indian context are in an evolving stage, banks have to keep in viewthespecificprovisionsofITAct,2000(asamendedin2008),variousjudicialandquasi-judicial pronouncementsand related developments in the Cyber laws in India as part of legal risk mitigation measures. BanksarealsorequiredtokeepabreastoflatestdevelopmentsintheITAct,2000andtherules,regulations, notifications and orders issued there under pertaining to bank transactions and emerging legal standards on digital signature,electronicsignature,dataprotection, chequetruncation, electronicfundtransferetc.aspartofoverall operational risk management process. THE RBI GUIDELINES2012 Network Intelligence India Pvt. Ltd. | 23 REFERENCES: Working Group on Information Security,Electronic Banking, Technology Risk Management and Cyber Frauds (Report and Recommendations)


Summary of Guidelines for Contaminated Freshwater Sediments · SUMMARY OF GUIDELINES FOR CONTAMINATED FRESHWATER SEDIMENTS ... printed on recycled paper. ... Summary of Guidelines

Summary of Guidelines for Contaminated Freshwater Sediments · SUMMARY OF GUIDELINES FOR CONTAMINATED FRESHWATER SEDIMENTS ... printed on recycled paper. ... Summary of Guidelines

Documents
STRATEGIC GUIDELINES & PLAN SUMMARY

STRATEGIC GUIDELINES & PLAN SUMMARY

Documents
CONTENTS RBI & FEMA - Lexportlexport.in/Newsletter/NewsLetterNews22.pdf · from merchanting traders and trade bodies, RBI has issued revised guidelines relating to merchanting trade

CONTENTS RBI & FEMA - Lexportlexport.in/Newsletter/NewsLetterNews22.pdf · from merchanting traders and trade bodies, RBI has issued revised guidelines relating to merchanting trade

Documents
RBI guidelines for mobile banking

RBI guidelines for mobile banking

Mobile
Comprehensive guidelines on derivatives - RBI Website - Reserve

Comprehensive guidelines on derivatives - RBI Website - Reserve

Documents
RBI Restructuring Guidelines

RBI Restructuring Guidelines

Documents
RBI Issues SARFAESI Act 2002 Guidelines and Directions as Amendment Upto 30th June 2015

RBI Issues SARFAESI Act 2002 Guidelines and Directions as Amendment Upto 30th June 2015

Documents
HURM - RBI issues guidelines on executive remuneration

HURM - RBI issues guidelines on executive remuneration

Documents
RBI Guidelines on Introduction of CDS

RBI Guidelines on Introduction of CDS

Documents
Dipstick Study on Financial Literacy Centres Status ... (viii).pdf · incorporation of RBI guidelines in 2012, ... institutions which includes NABARD, RBI and SLBC were interviewed

Dipstick Study on Financial Literacy Centres Status ... (viii).pdf · incorporation of RBI guidelines in 2012, ... institutions which includes NABARD, RBI and SLBC were interviewed

Documents
RBI 2300 HCA B-230 HCA BI RBI 2301 RBI 2301 F RBI ... - Beko

RBI 2300 HCA B-230 HCA BI RBI 2301 RBI 2301 F RBI ... - Beko

Documents
Environmental Cleaning Guidelines for Healthcare Settings ... · Environmental Cleaning Guidelines for Healthcare Settings (Summary Document) Executive Summary The guidelines deal

Environmental Cleaning Guidelines for Healthcare Settings ... · Environmental Cleaning Guidelines for Healthcare Settings (Summary Document) Executive Summary The guidelines deal

Documents
Guidelines afib executive summary

Guidelines afib executive summary

Education
Rbi guidelines

Rbi guidelines

Economy & Finance
Para Banking RBI Guidelines

Para Banking RBI Guidelines

Documents
Rbi Guidelines for Nbfcs by Mayuri Mandot

Rbi Guidelines for Nbfcs by Mayuri Mandot

Documents
SUMMARY RECORD OF THE RBI- OECD WORKSHOP DELIVERING ... · SUMMARY RECORD OF THE RBI- OECD WORKSHOP DELIVERING FINANCIAL LITERACY: CHALLENGES, STRATEGIES AND INSTRUMENTS 22-23 MARCH

SUMMARY RECORD OF THE RBI- OECD WORKSHOP DELIVERING ... · SUMMARY RECORD OF THE RBI- OECD WORKSHOP DELIVERING FINANCIAL LITERACY: CHALLENGES, STRATEGIES AND INSTRUMENTS 22-23 MARCH

Documents
Executive Summary · PDF file · 2016-10-24As per the guidelines of the Reserve Bank of India (RBI), the Potential Linked Credit Plans ... network of 155 branches of Commercial Banks,

Executive Summary · PDF file · 2016-10-24As per the guidelines of the Reserve Bank of India (RBI), the Potential Linked Credit Plans ... network of 155 branches of Commercial Banks,

Documents
Summary Centers Corridors Design Guidelines

Summary Centers Corridors Design Guidelines

Documents
RBI Guidelines on Securitisation of Standard Assets

RBI Guidelines on Securitisation of Standard Assets

Documents
RBI Issued Uniform Guidelines on Internet Banking for Cooperative Banks

RBI Issued Uniform Guidelines on Internet Banking for Cooperative Banks

Documents
Summary Guidelines

Summary Guidelines

Documents
RBI GUIDELINES ON Working capital

RBI GUIDELINES ON Working capital

Documents
2011-12-22 RBI Final IRB Guidelines

2011-12-22 RBI Final IRB Guidelines

Documents
Rbi guidelines asset classifications july 2011

Rbi guidelines asset classifications july 2011

Economy & Finance
RBI Interest Guidelines

RBI Interest Guidelines

Documents
RBI Guidelines for Information System Security for Banking and Financial Sector

RBI Guidelines for Information System Security for Banking and Financial Sector

Documents
Homerton Sexual Health Services Summary Treatment Guidelines Health... · Homerton Sexual Health Services Summary Treatment Guidelines These are summary guidelines, intended for quick

Homerton Sexual Health Services Summary Treatment Guidelines Health... · Homerton Sexual Health Services Summary Treatment Guidelines These are summary guidelines, intended for quick

Documents
RBI GUIDELINES FOR BANKS

RBI GUIDELINES FOR BANKS

Economy & Finance
Stock Option RBI Guidelines

Stock Option RBI Guidelines

Documents