The Reserve Bank of India (“RBI”) has rolled out the “Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices” (“Master Direction”) to incorporate, consolidate and update the guidelines, instructions and circulars on IT Governance, Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management. The Master Direction also repeals a few previous Circulars (please refer to the Annex to the Master Direction for further details on Circulars which are being repealed).
Please note, the Master Direction will gain effect on 1st April, 2024.
Background:
As a fallout of the Statement on Developmental and Regulatory Policies issued in 2022 February, RBI had issued a Draft Master Direction in October 2022 inviting comments and suggestions from the public (please refer to the trail e-mail for a detailed read of the Draft Master Direction issued by RBI). Basis the feedback received, RBI has now issued the present Master Direction.
Applicability:
The Master Direction applies to the following entities, which are hereinafter defined as “Regulated Entities”:
- Non-Banking Financial Companies (hereinafter referred to as ‘NBFCs’) as defined under the Reserve Bank of India Act, 1934 and includes the ‘Top Layer’, ‘Upper Layer’ and ‘Middle Layer’ NBFCs defined in Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs’.
- all Banking Companies1 Corresponding New Banks and State Bank of India
- Credit Information Companies
- All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI
Please note, the Master Direction will not apply to :
- NBFC – Core Investment Companies
- Local area banks
Key Takeaways:
- IT Governance Framework:
- REs has to keep in place a robust IT governance framework specifying the governance structure and processes necessary to meet the REs business/strategic objectives. The framework has to specify the roles (including authority) and responsibilities of the Board of Directors, Board level Committee and Senior Management. REs have to place adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/ information security risks.
- REs have to incorporate periodic assessment of the IT-related risks (both inherent and potential risk) in their enterprise-wide risk management policy.
- Role of Board of Directors:
Strategies and policies related to IT, Information Systems (IS), Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) has to be approved by the Board and reviewed at least annually.
- IT Strategy Committee:
- REs must establish a Board Level IT Strategy Committee constituting minimum of 3 technically sound and competent directors as members and the committee has to meet on quarterly basis.
- The committee must comply to certain other requirements as stated in the Master Direction
- Senior Management and IT Steering Committee:
- The senior management has to ensure execution of IT strategy approved by the Board; put in place the appropriate mechanism to ensure the smooth functioning of IT/IS and their support infrastructure; and create culture of IT risk awareness in REs.
- REs have to establish an IT Steering Committee with representation at Senior Management level from IT, business functions for assisting the Board/ IT Strategy Committee in the implementation of the IT Policy and IT Strategy. The IT Steering Committee has to meet at least on quarterly basis.
- Head of IT Functions
- REs has to appoint a sufficiently senior level, technically competent and experienced official in IT related aspects as Head of IT Function for key decision making in the use of IT in REs.
- IT Service Management:
- REs has to keep in place a robust IT Service Management Framework for efficient functioning of their IT environment.
- Service Level Management (SLM) has to be kept in place to manage the IT operations while ensuring effective segregation of duties.
- REs have to ensure identification and mapping of security classification of information assets based on their criticality to REs operations.
- REs must use latest software and hardware and ensure their refresh plan before they reach EOS.
- REs have to put in place appropriate vendor risk assessment process and controls proportionate to the assessed risk and materiality.
- Capacity Management:
- REs are required to proactively assess any capacity constraint based on past trend (peak usage), business activities (current as well as future plans) and address the issues effectively. Annual assessment of capacity vis-a-vis the expectations, with sufficient safety margin has to be carried out, and the same has to be reviewed by the Board/ Board level IT Strategy Committee.
- Project Management:
- REs while adopting new/ emerging technologies, tools or revamping their existing ones in the technology stack, have to follow a standard enterprise architecture planning methodology/ framework.
- REs have maintain enterprise data dictionary to enable the sharing of data among applications and systems and promote a common understanding of data among IT and business users.
- A consistent and formally defined project management approach has to be applied to IT projects undertaken by the RE. The project management approach must, inter alia, enable appropriate stakeholder participation for effective monitoring and management of project risks and progress.
- Information on major IT projects that have a significant impact on the RE’s risk profile and strategy must be reported to the IT Strategy Committee. Such projects has to undergo appropriate strategic and cost/ reward analysis on a periodic basis.
- Change Management:
- REs must put in place documented policies and procedures for change management to ensure business impact of implementing the change; changes are reviewed in a secure and timely manner; a mechanism is established to recover from failed changes or deployment or unexpected results.
- Data Migration Controls:
- REs must have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. The policy must, inter alia, contain provisions pertaining to signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc.
- Audit Trails:
- Every IT application which can access or affect critical/ sensitive information, has to have audit trails/ logging capability.
- The audit trails has to satisfy a RE’s business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes.
- Cryptographic Controls:
- REs must adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing such controls must be compliant with extant laws and regulatory instructions.
- Straight Through Processing:
- REs must ensure that there is no manual intervention or manual modification in data while it is being transferred from one process to another.
- Physical and Environmental Controls:
- Suitable physical and environmental controls in Data Centre and Data Recovery should be implemented. DC and DR should be under surveillance mechanism and geographically well separated from each other
- Access Controls:
- Access to information assets will be allowed only where a valid business need exists. There has to be documented standards/ procedures, which are approved by the competent authority and kept up to date, for administering need-based access to an IT system
- Personnel with elevated system access entitlements has to be closely supervised with all their systems activities logged and periodically reviewed. REs has to adopt multi-factor authentication for privileged users.
- Metrics:
- REs has to define suitable metrics for system performance, recovery and business resumption, including Recovery Point Objective (RPO) and Recovery Time Objective (RTO), for all critical information systems.
- For non-critical information systems, REs has to adopt a risk-based approach to define suitable metrics.
- REs has to implement suitable scorecard/ metrics/ methodology to measure IT performance and IT maturity level.
- IT and Information Security Risk Management:
- IT must include IT related risks in their Risk Management Policy
- IT must establish a robust IT and Information Security risk management framework.
- There are other compliance requirements proposed under the Draft MD with reference to the following:
- Incident Response and Recovery Management
- VA/PT Assessments
- Controls on Teleworking
- Business Continuity and Disaster Recovery Management
- Information Systems (IS) Audit
Please refer to the hyperlinked document for a detailed read of the Master Direction.
Source: Reserve Bank of India