RBI Direction: The RBI directions will be called the Reserve Bank of India (Information Technology Governance, Risk, Control and Assurance Practices) Directions, 2023 and will come into effect from April 1, 2024. The latest instructions state that REs (Regulated Entities) shall establish a robust IT service management framework to ensure operational flexibility of their entire IT environment.
The Reserve Bank of India (RBI) has issued a new comprehensive master direction for banks and NBFCs on information technology (IT) governance, risk, controls and assurance practices. Key focus areas of IT governance will include strategic alignment, risk management, resource management, performance management, business continuity and disaster recovery management.
These directions will be called the Reserve Bank of India (Information Technology Governance, Risk, Control and Assurance Practices) Directions, 2023 and will be effective from April 1, 2024. The latest instructions state, “REs (Regulated Entities) shall establish a robust IT service management framework to ensure the operational resilience of their entire IT environment (including DR sites) and to support their information systems and infrastructure ”
It further states that the RE shall have a documented data migration policy that shall specify a systematic process for data migration and ensure data integrity, completeness and consistency. “The policy will inter alia include provisions relating to signoff from business users and application owners at each stage of migration, maintenance of audit trails, etc.,” the Reserve Bank said.
As per RBI guidelines every IT application that can access or impact critical or sensitive information must have necessary audit and system logging capabilities and provide audit trails.
These guidelines will strengthen the transmission channel, key lengths, algorithms, cipher suites and applicable protocols used in data processing and authentication purposes. REs shall adopt internationally accepted and published standards that are not unsafe/unsafe and the configuration involved in implementing such controls shall conform to existing laws and regulatory directives.
To prevent unauthorized modification of data as per instructions, RE should ensure that there is no manual intervention or manual modification while transferring data from one process to another or from one application to another in respect of critical applications. yes.
The latest instructions also state that the risk management policy of REs shall include IT related risks including cyber security related risks and the Risk Management Committee of the Board (RMCB) in consultation with ITSC shall from time to time at least on an annual basis. Will review it.
RE should analyze cyber incidents (through forensic analysis if necessary) to determine their severity, impact and root cause. The central bank said REs should take corrective and preventive measures to mitigate the adverse impact of incidents on business operations.
