Banking Sector IT guideline
The Reserve Bank of India issued new guidance in April 2011 for banks to mitigate
the risks of use of information technology in banking operations. RBI guidelines are
result of the Working Group's recommendations on information security, electronic
banking, technology risk management and cyber fraud. The Working Group was formed
under the chairmanship of G. Gopalakrishna, the executive director of RBI in April 2010.
The guidance is largely driven by the need for mitigating cyber threats emerging from
increasing adoption of IT by commercial banks in India.
Recommendations are made in nine broad areas, including-
1. IT Governance: emphasizes the IT risk management accountability on a bank's
board of directors and executive management. Focus includes creating an
organizational structure and process to ensure that a bank's IT security sustains
and extends business strategies and objectives.
2. Information Security: maintaining a framework to guide the development of a
comprehensive information security program, which includes forming a separate
information security function to focus exclusively on information security and risk
management, distinct from the activities of an information technology
department. These guidelines specify that the chief information security officer
needs to report directly to the head of risk management and should not have a
direct reporting relationship with the chief information officer.
3. IT Operations: specialized organizational capabilities that provide value to
customers, including IT service management, infrastructure management,
application lifecycle management and IT operations risk framework.
4. IT Services Outsourcing: places the ultimate responsibility for outsourcing
operations and management of inherent risk in such relationships on the board
and senior management. Focus includes effective selection of service provider,
monitoring and control of outsourced activities and risk evaluation and
management.
5. Information Security Audit: the need for banks to re-assess IS audit processes
and ensure that they provide an independent and objective view of the extent to
which the risks are managed. This topic focuses on defining the roles and
responsibilities of the IS audit stakeholders and planning and execution of the
audit.
6. Cyberfraud: defines the need for an industry wide framework on fraud
governance with particular emphasis on tackling electronic channel based frauds.
Focus includes creating an organizational structure for fraud risk management
and a special committee for monitoring large value fraud.
7. Business Continuity Planning : focuses on policies, standards and procedures
to ensure continuity, resumption and recovery of critical business processes.
Also, this topic emphasizes implementing a framework to minimize the
operational, financial, legal, reputational and other material consequences arising
from such a disaster.
8. Customer Education: the need to implement consumer awareness framework
and programs on a variety of fraud related issues.
9. Legal Issues: defines the need to put effective processes in place to ensure that
legal risks arising from cyber laws are identified and addressed at banks. It also
focuses on board's consultation with legal department on steps to mitigate
business risks within the bank.
The Reserve Bank of India issued new guidance in April 2011 for banks to mitigate
the risks of use of information technology in banking operations. RBI guidelines are
result of the Working Group's recommendations on information security, electronic
banking, technology risk management and cyber fraud. The Working Group was formed
under the chairmanship of G. Gopalakrishna, the executive director of RBI in April 2010.
The guidance is largely driven by the need for mitigating cyber threats emerging from
increasing adoption of IT by commercial banks in India.
Recommendations are made in nine broad areas, including-
1. IT Governance: emphasizes the IT risk management accountability on a bank's
board of directors and executive management. Focus includes creating an
organizational structure and process to ensure that a bank's IT security sustains
and extends business strategies and objectives.
2. Information Security: maintaining a framework to guide the development of a
comprehensive information security program, which includes forming a separate
information security function to focus exclusively on information security and risk
management, distinct from the activities of an information technology
department. These guidelines specify that the chief information security officer
needs to report directly to the head of risk management and should not have a
direct reporting relationship with the chief information officer.
3. IT Operations: specialized organizational capabilities that provide value to
customers, including IT service management, infrastructure management,
application lifecycle management and IT operations risk framework.
4. IT Services Outsourcing: places the ultimate responsibility for outsourcing
operations and management of inherent risk in such relationships on the board
and senior management. Focus includes effective selection of service provider,
monitoring and control of outsourced activities and risk evaluation and
management.
5. Information Security Audit: the need for banks to re-assess IS audit processes
and ensure that they provide an independent and objective view of the extent to
which the risks are managed. This topic focuses on defining the roles and
responsibilities of the IS audit stakeholders and planning and execution of the
audit.
6. Cyberfraud: defines the need for an industry wide framework on fraud
governance with particular emphasis on tackling electronic channel based frauds.
Focus includes creating an organizational structure for fraud risk management
and a special committee for monitoring large value fraud.
7. Business Continuity Planning : focuses on policies, standards and procedures
to ensure continuity, resumption and recovery of critical business processes.
Also, this topic emphasizes implementing a framework to minimize the
operational, financial, legal, reputational and other material consequences arising
from such a disaster.
8. Customer Education: the need to implement consumer awareness framework
and programs on a variety of fraud related issues.
9. Legal Issues: defines the need to put effective processes in place to ensure that
legal risks arising from cyber laws are identified and addressed at banks. It also
focuses on board's consultation with legal department on steps to mitigate
business risks within the bank.
No comments:
Post a Comment