A quick approach to complying with RBI Cyber Security Framework

With Cyber Security Risks increasing at an alarming rate for banking and financial transactions. India’s central Bank Reserve Bank of India had issued a “Cyber Security Framework” for all banks to comply by September 30, 2016. This post will provide an approach to meeting the requirements.

The framework recommends 11 objectives to be met by implementing the overall framework. Read further to find the approach that would help in meeting the requirements.

In order to address the emerging Cyber Security threat, the RBI had recommended a distinct and separate from the existing IT security policy of the bank.

It outlines a cyber security risk management and control approach. Since the outline is in the broad level the best way to deal with is to align with an established framework like ISO 27001:2013.

As mentioned above the framework recommends the objectives to be meet for

• Continuous Surveillance,
• IT architecture should be conducive to Security,
• Network and Database Security,
• Protection of customer information,
• Cyber Crisis Management Plan,
• Cyber Security Preparedness indicators,
• Cyber Security incident information sharing with RBI.
• Cyber Security organizational arrangement and awareness of all stake holders.

The best approach to meeting the above requirement would be as follows:

The Arrangement for continuous surveillance can be best achieved through a Security Operation Centre (SOC) equipped with necessary tools to carry out Penetration Testing and Vulnerability Assessment, Incident monitoring and response. with necessary manpower to carry out surveillance on a 24/7 basis for its IT/Digital infrastructure. Setting up SOC is challenging from the perspective cost, identifying the requisite tools, processes and the people skills required to man such centres.

With growing sophisticated threats and number of cybersecurity incidents, it is imperative to deploy security analytics software to overcome challenges. Security analytics tools help organizations implement real-time monitoring of servers, endpoints and network traffic, consolidate and coordinate diverse event data from application and network logs, and perform forensic analysis to better understand attack methods and system vulnerabilities. Taken together, these functions help security professionals assess how systems were compromised, which systems were affected and if an attack is still underway.

A detailed assessment of IT architecture as per risk assessment is to carried out to meet the Cybersecurity and resilience framework and Policy. Such Cybersecurity and resilience framework require to address 24 control requirements. As mentioned earlier most of them can be addressed through the ISO 27001 implementation.

Network and Database security risks can be addressed by implementing proper Access control mechanism including temporary access time limit mechanism for time bound access requirements. Data both in REST and transition can be encrypted with appropriate solutions.

To ensure protection of customer information appropriate access control and encryption mechanism needs to be implemented. But to prevent leakages of customer information from other threats like phishing, mis-configuration and application security weakness appropriate user awareness training and controls need be implemented.

Framework recommends a Cyber Crisis Management Plan the same can be built on top of the Incident Security incident management policy laid out part of the ISO 27001 implementation. Which broadly covers the same in great detail.

It recommends the establishment of cyber security preparedness indicators linked to cyber resilience framework. Identifying the key performance indicators and carry out both internal/external audit to monitor the preparedness. The RBI specifies the need for sharing the incidents with itself, peers and connected agencies. The banks can share such incidents limiting to technical aspects of it, which would be helping in issuing advisory to other banks. Also supervisory reporting framework is a regulatory requirement henceforth and it would be complied by enabling appropriate process into the incident response policy.

Creation of appropriate organisation and awareness for cyber security can be achieved by having a council to deal with cyber security as mandated in Leadership (5); Organisational roles, responsibilities and authorities (5.3) requirements of ISO 270001 framework.

With the approach banks can start complying with the framework quickly.