The Baseline Requirements of the RBI Cyber Security Framework

Financial institutions are amongst the most highly targeted organizations for cyber security attacks. To address this, the Reserve Bank of India (RBI) has outlined a list of controls, known as the RBI Guidelines for Cyber Security Framework, for banks to achieve a minimum recommended baseline of cyber attack resilience.

Each area carries several detailed specifications from the list of controls outlined by the Reserve Bank of India. These specifications will help financial institutions accurately identify and target deficiencies across their cybersecurity policies.

RBI’s guidelines apply to all banking, neo-banking, lending, and non-banking financial institutions in India. Compliance with these security standards will likely become mandatory from the next financial year starting from April 2023. At the time of writing this article, this date is only six months away, and modifying security controls at an organizational scale takes time. Financial institutions need to align their security measures to the RBI cyber security framework now to allow sufficient time to complete compliance by April 2023.

Financial organisations looking to comply with these guidelines will need to modify certain aspects of how the business operates, notably its approaches to managing business IT assets, assessing vendor risk, and identifying and mitigating data leaks.

The critical cyber security controls for Primary (Urban) Cooperative Banks (UCBs) are outlined below.

Inventory of IT Assets

UCBs need to maintain an updated register of all business IT assets. This register should:

• Identify all systems storing or processing customer data.
• Identify all IT assets - hardware, software, network devices, key personnel, IT services, etc.
• Assign each IT asset a criticality rating (high/medium/low) based on the degree of sensitive customer data being processed/stored.
• Map the flow of customer data throughout the network, identifying where/when it’s stored, transmitted, processed, and all points of access - both internal and external to the IT network.
• Implement relevant security control to ensure customer data is always protected throughout its entire lifecycle.
• Track the differing levels of customer data risk across the entire data lifecycle - refer to this post for guidance on quantifying cyber risks.

Why is this RBI control important?

By being aware of all assets processing customer data and their associated cybersecurity risks, remediation efforts can be deployed to address each risk, increasing your cyber resilience.

How UpGuard Can Help You Comply with this RBI Control

Organisations often struggle to accurately identify all of their Business IT Assets. To accommodate this lack of visibility, every digital asset ends up being grouped into one broad “attack surface” category. But to comply with RBI’s framework, all assets  - software, hardware, services, internet-facing components, cloud solutions, etc. - need to be brought into clear focus.

This is best achieved with Attack surface management (ASM) tools focusing on the continuous discovery, inventory, classification, prioritization, and security monitoring of these assets. With such detailed asset visibility, organisations can identify cyber threats facilitating data breaches and data leaks. Organizations may also use automation to visualize and manage their attack surfaces.

Learn more about the best attack surface management solutions on the market >

Capable ASM solutions, like UpGuard Breach Risk, automate the five main steps of attack surface management:

1. Asset Discovery;
2. Inventory and classification;
3. Risk scoring and security ratings;
4. Continuous security monitoring;
5. Malicious asset and incident monitoring.
   
   

To help financial organisations in India meet and exceed RBI’s guidelines, UpGuard is offering 7-day free trials.

Click here to try UpGuard free for 7 days >

Outsourcing Risk Management

To comply with this RBI control, financial institutions need to:

• Ensure all service level agreements (SLAs) stipulate the responsibilities of all parties (the UCB and the vendor) in the event of service failures.
• All vendor agreements outline the grievance redressal mechanism to resolve customer complaints.
• Ensure all SLAs are reviewed against the expected security control performance of each vendor

• Ensuring appropriate management and assurance of security risks in outsourced arrangements
• Evaluate the need for outsourcing critical processes based on comprehensive risk assessments
• Regularly conduct adequate due diligence, oversight, and management of third parties.
• Establish appropriate framework, policies, and procedures by baseline system security configuration standards
• Evaluate, assess, review, control, and monitor the risks for all vendors
• Ensure and demonstrate that the service provider adheres to all regulatory and legal requirements of the country
• Making available to the RBI all information resources that banks consume
• Adhere to relevant legal and regulatory requirements relating to the geographical location of infrastructure
• Thoroughly satisfy the credentials of third-party personnel accessing and managing the bank’s critical assets
• Mandating background checks, non-disclosure, and security policy compliance agreements for all third-party service providers

How UpGuard Can Help You Comply with this RBI Control

To adequately address third-party risks and meet the controls guidelines outlined by the RBI, Indian organisations must implement a Vendor Risk Management. With such a volatile third-party cyber threat landscape, Vendor RIsk Management is crtitical for every indian business.

By identifying security vulnerabilities exposing your vendors to data breaches, a Vendor Risk Management program could reduce the potential of your business being breached through a compromised vendor - a type of cyberattack known as a supply chain attack.

Learn why Vendor Risk Management is crucial for Indian businesses >

Advanced VRM solutions, like UpGuard Vendor Risk, automate the critical Vendor Risk Management processes by:

• Performing risk assessments before onboarding vendors to determine if their levels of risk are worth taking on;
• Continuously monitoring the third-party attack surface for cyber threats and vulnerabilities increasing the potential of vendor data breaches.
• Tiering vendors based on their level of risk and business impact to prioritize remediation efforts;

• Regularly assessing each vendor's regulatory compliance efforts with routine security questionnaires and vulnerability assessments.
  
  

To help financial organisations in India meet and exceed RBI’s guidelines, UpGuard is offering 7-day free trials.

Click here to try UpGuard free for 7 days >

Data Leak Prevention Strategy

To comply with this RBI control, financial institutions need to:

• Develop a comprehensive data loss/leakage prevention strategy
• Protecting data processed in endpoint devices, data in transmission, and data stored in servers and other digital stores
• Ensuring that similar arrangements are made for vendor-managed facilities

How UpGuard Can Help You Comply with this RBI Control

To mitigate the risk of costly data breaches, organisations need to include an effective data leak prevention strategy in their security program, ideally using proven managed services.

UpGuard offers complete data leak prevention and detection capabilities through specialized data leak detection techniques and continuous attack surface monitoring.

UpGuard also offers several vital functionalities to assist with complying with RBI’s data leak mitigation standards, including:

• Continuous data leak monitoring for your organization and your vendors 
• Powered by a dedicated team of experts analysts and an AI-assisted platform 
• Monitors the surface, deep, and dark web for sensitive data
• Integrated platform monitors for a range of exposed credentials and file types, including online file stores, databases, CDNs, document sharing sites, paste sites, and online code repositories like GitHub, Bitbucket, and GitLab.
  
  

To help financial organisations in India meet and exceed RBI’s guidelines, UpGuard is offering 7-day free trials.

Click here to try UpGuard free for 7 days >

Preventing Unauthorised Access

To comply with this RBI control, financial institutions need to:

• Maintain an updated inventory of all authorised software solutions, including third-party vendor solutions.
• Implement security mechanisms and policies to ensure only approved / secure software/applications are installed on end-user devices.
• Ensure all web browsers are set to auto-update to keep them updated with the latest security patches.
• Disable JavaScript, Java, and ActiveX controls when they’re not required / in use.
• Restrict general internet access in the branch to standalone computers entirely disconnected from systems used for daily business operations.

Why is this RBI control important? 

Preventing unauthorised software access minimises the potential of third-party breaches.

Environmental Controls

To comply with this RBI control, financial institutions need to:

• Deploy security controls to protect physical critical assets from human threats and natural disasters.
• Implement monitoring controls for detecting environmental asset compromise. Environmental management should monitor for temperature, water levels, and smoke changes, service availability access/audit log activity, and also include access alarms.

Why is this RBI control important?

Environmental controls help prevent critical infrastructure damage from cyberattacks.

Network Management and Security

To comply with this RBI control, financial institutions need to:

• Follow secure configuration practices across all networked devices.
• Ensure default passwords are never used for networked devices.

• Secure all wireless device access points and wireless client access systems.
• Deploy appropriate network separation controls/strategies for all critical financial infrastructures (ATMS, CBS, SWIFT, RTGS, NEFT, etc.).

Why is this RBI control important?

Securing your banking network reduces the potential of remote intrusions resulting in customer data theft and ransomware attacks.

Secure Configurations

To comply with this RBI control, financial institutions need to:

• Implement firewalls and configure them to the highest security settings.
• Routinely evaluate firewall configurations and other IT boundary controls such as network switches.
• Enforce the highest levels of application security across all banking apps.
• Routinely test the resilience of network security configurations with penetration testing.

Why is this RBI control important?

When configured correctly, a firewall can prevent cybercriminals from accessing your network and block cyberattack attempts

‍

Learn how UpGuard empowered Tech Mahindra to automate their third-party risk management program.

Read the Tech Mahindra case study >

‍

‍

Patch Management

To comply with this RBI control, financial institutions need to:

• Ensure antivirus software is always kept updated.
• Implementing systems for tracking and rapidly identifying security patch requirements across all systems and assets, including servers, operating systems, applications, software, and end-user devices (especially mobile devices used for Multi-Factor Authentication).

Why is this RBI control important?

Whenever antivirus software is updated, it learns how to identify the latest threat landscape developments.

User Access Control

To comply with this RBI control, financial institutions need to:

• Limit sensitive customer data access to those that absolutely need it (also known as the principle of least privilege).
• Under passwords are complex and never recycled.
• Implement Multi-Factor Authentication across all user accounts (especially user accounts).
• Ensure Remote Desktop Protocols (RDP) are disabled by default unless approved by an authorised party.
• Ensure all authorised RDPs are continuously monitored for suspicious connection requests with a SIEM logging solution.
• Use a SIEM solution or similar event log tracking solution to monitor/manage connectinos across all privileged accounts.

A secure user access control policy can be achieved with a zero-trust architecture and Privileged Access Management.

Why is this RBI control important?

Continuously monitoring privileged account connections could help you identify data breach attempts early enough to prevent them.

Secure Messaging Systems

To comply with this RBI control, financial institutions need to:

• Implement security measures to prevent/mitigate email-based cyber attacks- such as email spoofing, business email compromise, phishing attacks, social engineering, etc.

Secure your email with this free checklist >

• Implement security measures to prevent fraudulent online impersonations of your business that could support email-based cyberattacks - examples of such cyber threats include domain hijacking and typosquatting.

Why is this RBI control important?

Securing all email communications could reduce the potential of data breaches resulting from fraudulent emails.

Removable Media

To comply with this RBI control, financial institutions need to:

• Ban all removable media - USBs, external hard drives, etc. - from banking environments unless explicitly approved for a specific time period by an authoritative staff member.
• Follow best cybersecurity practices for all removable media.
• Ensure all removable media is scanned for malware/viruses or any malicious files before connecting to a computer.

Why is this RBI control important?

Malware specifically developed for customer data theft or ransomware attacks could be installed from a removable media device.

User Awareness

To comply with this RBI control, financial institutions need to:

• Implement cyber security awareness training to teach staff how to correctly identify and respond to email-based attacks, such as phishing attacks.
• Ensure board members, stakeholders, and top management staff also undergo awareness training.
• Ensure staff understand how to follow an incident response plan, or cyber crisis management plan, during a cyber attack.

Why is this RBI control important? 

Cybercriminals are always trying to steal corporate credentials to gain access to a banking network. Awareness training prevents staff from falling victim to these attacks.

Customer Awareness

To comply with this RBI control, financial institutions need to:

• Ensure customers understand how to recognise phishing attacks.
• Ensure your customers know how dangerous phishing attacks are and that they could lead to financial theft.
• Teach customers how to secure their banking assets (pins, passwords, etc.).
• Ensure customers understand how to recognise suspicious sensitive data requests.
• Ensure customers understand not to share their personal information with third parties.

Why is this RBI control important? 

Cybercriminals often target individuals that have been impacted by historical breaches with phishing campaigns leading to bank account compromise.

Backup and Restoration

To comply with this RBI control, financial institutions need to:

• Perform periodic backups of all banking systems and critical systems - these backups should be made to a detachable storage device solely used for backups.

Why is this RBI control important?

A data backup strategy ensures you always clean system versions on hand to replace encrypted systems in the event of a ransomware attack.

How UpGuard Helps Organizations Meet Baseline Requirements of the RBI Cyber Security Framework

UpGuard offers a suite of solutions that align with RBIs information security standards in the areas of vendor risk management, data leak detection and continuous attack surface monitoring. UpGuard also helps Indian businesses meet the critical baseline cybersecurity requirements in the RBI cyber security framework.