Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
INTENDED AUDIENCE .............................................................................................................................................................. 3
EXECUTIVE SUMMARY............................................................................................................................................................. 3
INTRODUCTION ....................................................................................................................................................................... 4
CHAPTER 1: IT GOVERNANCE .................................................................................................................................................. 6
Introduction......................................................................................................................................................................... 6
Roles and Responsibilities and Organizational Framework ................................................................................................ 6
Focus Areas for IT Governance:........................................................................................................................................... 6
Policies and Procedures ...................................................................................................................................................... 6
CHAPTER 2 INFORMATION SECURITY................................................................................................................................... 7
Introduction......................................................................................................................................................................... 7
Roles & Responsibilities and organization framework:....................................................................................................... 8
Critical components of information security ...................................................................................................................... 8
CHAPTER 3: IT OPERATIONS .................................................................................................................................................. 11
Introduction....................................................................................................................................................................... 11
Roles & Responsibilities and Organization Framework: ................................................................................................... 11
Components of IT operations framework ......................................................................................................................... 11
CHAPTER 4 IT SERVICES OUTSOURCING ............................................................................................................................. 12
Introduction....................................................................................................................................................................... 12
Roles & Responsibilities and Organization Structure: ....................................................................................................... 12
Various components/aspects relating to outsourcing ...................................................................................................... 12
CHAPTER 5: IS AUDIT ............................................................................................................................................................. 14
Roles & Responsibilities and Organization Framework: ................................................................................................... 14
Critical Components and Processes .................................................................................................................................. 14
CHAPTER 6 CYBER FRAUD................................................................................................................................................... 16
Introduction....................................................................................................................................................................... 16
1. Roles/Responsibilities and Organizational structure .................................................................................................... 16
Network Intelligence India Pvt. Ltd. |
EXECUTIVE SUMMARY
In todays Indian scenario, banking sectors are rapidly utilizing IT services for their operations. Automation of various
processes no doubt has given lots of advantages to these banking and financial institutions, but has given rise to many
risks as well.
Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate other risks like
credit risks and market risks. Given the increasing reliance of customers on electronic delivery channels to conduct
transactions, any security related issues have the potential to undermine public confidence in the use of e-banking
channels and lead to reputation risks to the banks. Inadequate technology implementation can also induce strategic risk in
terms of strategic decision making based on inaccurate data/information. Compliance risk is also an outcome in the event
of non-adherence to any regulatory or legal requirements arising out of the use of IT. These issues ultimately have the
potential to impact the safety and soundness of a bank and in extreme cases may lead to systemic crisis.
Keeping in view the changing threat milieu and the latest international standards, it was felt that there was a need to
enhance RBI guidelines relating to the governance of IT, information security measures to tackle cyber fraud apart from
enhancing independent assurance about the effectiveness of IT controls. To consider these and related issues, RBI
announced the creation of a Working Group on Information Security, Electronic Banking, Technology Risk Management
and Tackling Cyber Fraud in April, 2010. The Group was set up under the Chairmanship of the Executive Director
Shri.G.Gopalakrishna.
Information technology (IT) risk assessment and management was required to be made a part of the risk
management framework of a bank
Internal audits/information system audits needed to independently provide assurance that IT-related processes and
controls were working as intended.
Given the instances of cyber fraud in banks recently, it was necessary to improve controls and examine the need
for pro-active fraud risk assessments and management processes in commercial banks.
With the increase in transactions in electronic mode, it was also critical to examine the legal implications for
banks arising out of cyber laws and steps that were required to be taken to suitably mitigate the legal risks.
Taking into account the above mentioned issues, creation of a Working Group on Information Security, Electronic
Banking, Technology Risk Management and Tackling Cyber Fraud took place.
This working group was formed with the following vision to:
undertake a comprehensive assessment of extant IT and e-banking related guidelines vis--vis international
guidelines/best practices and suggest suitable recommendations
suggest recommendations with respect to information security in order to comprehensively provide for a broad
framework to mitigate present internal and external threats to banks
Provide recommendations for effective and comprehensive Information Systems Audit related processes to
provide assurance on the level of IT risks in banks
Suggest scope for enhancement of measures against cyber fraud through preventive and detective mechanisms as
part of the fraud risk management framework in banks
Identify measures to improve business continuity and disaster recovery related processes in banks
Assess the impact of legal risks arising out of cyber laws, the need for any specific legislation relating to data
protection and privacy and whether there is an Indian equivalent of the Electronic Fund Transfer Act in the US
The working group decided to address IT issues across multiple dimensions arising out of the use of IT and provide
recommendations in these areas. These dimensions and provided recommendations were elaborated in the following 9
chapters of the guideline
Network Intelligence India Pvt. Ltd. |
Chapter 3 IT operations
Chapter 5 IS Audit
The report further is divided into different chapters and each chapter contains introduction, associated roles and
responsibilities and the desired control recommendations from the RBI for banks to implement mandatorily. The
recommendations are not one-size-fits-all and the implementation of these recommendations need to be based on the
nature and scope of activities engaged by banks and the technology environment prevalent in the bank and the support
rendered by technology to the business processes.
(iii)
(iv)
IT Steering Committee
Responsibility Description
Approving IT strategy and policy documents, Ensuring that the IT
organizational structure complements the business model and its direction etc.
Promoting an enterprise risk management competence throughout the bank,
including facilitating development of IT-related enterprise risk management
expertise
Among executives, the responsibility of Senior executive in charge of IT
operations/Chief Information officer (CIO) is to ensure implementation from
policy to operational level involving IT strategy, value delivery, risk
management, IT resource and performance management.
Its role is to assist the Executive Management in implementing IT strategy that
has been approved by the Board. An IT Steering Committee needs to be
created with representatives from the IT, HR, legal and business sectors.
Management and mitigation of risks and reduction of potential impacts on information resources to an acceptable
level
Management of performance of information security by measuring, monitoring and reporting information security
governance metrics to ensure that organizational objectives are achieved
(ii)
(iii)
(iv)
Description
A Board approved Information security policy needs to be in place and reviewed at
least annually.
Risk Assessment
The risk assessment must, for each asset within its scope, identify the threat/
vulnerability combinations that have a likelihood of impacting the confidentiality
availability or integrity of that asset - from a business, compliance and/or
contractual perspective.
Inventory and
Maintaining detailed inventory of information assets and classification of
information/data
information/data are among the key components of information security
classification
management.
Defining roles and
Management can communicate general and specific security roles and
responsibilities
responsibilities for all employees based on their job descriptions. Management
should expect all employees, officers, and contractors to comply with information
security and/or acceptable-use policies and protect the institutions assets, including
information.
Access Control
Banks need to grant authorization for access to information assets only where a
valid business need exists and only for a definite time period for which the access is
required
Information security and Information security needs to be considered at all stages of an information assets
information asset life-cycle (like hardware, software) life-cycle which typically includes: planning and design;
acquisition and implementation; maintenance and support; and disposal so as to
minimize exposure to vulnerabilities.
Personnel security
Banks should have a process in place to verify job application information on all
new employees. The sensitivity of a particular job or access level may warrant
additional background and credit checks.
Physical security
Banks should implement suitable physical and environment controls taking into
consideration threats, and based on the entitys unique geographical location,
Network Intelligence India Pvt. Ltd. |
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
27
28
29
30
31
10
Responsibility Description
(i)
Service Desk
(ii)
IT Operations Management
(iii)
Application Management
(iv)
Infrastructure Management
Component
Risk Management
B
(i)
IT Operations Processes
IT Strategy
(ii)
Design
(iii)
Transition
(iv)
Operation
Description
As part of risk identification and assessment, banks should identify events or
activities that could disrupt operations or negatively affect reputation or earnings and
assess compliance to regulatory requirements.
A well-defined IT strategy framework will assist IT operations in supporting IT
services as required by the business and defined in SLAs.
The components which should be considered when designing a new IT service or
making a change to the existing IT service include business processes, service level
agreements, IT infrastructure, IT environment etc.
The transition phase provides frameworks and processes that may be utilized by
banks to:
Evaluate service capabilities and risk profile of new or changes service before it is
released into production environment
Evaluate and maintain integrity of all identified service assets and configuration
items required to support the service
The various aspects that banks need to consider include event management, incident
management, problem management and access management.
11
Component
Material
Outsourcing
Risk Management in
outsourcing
arrangements
Risk Evaluation and
Measurement
(i)
(ii)
(iii)
Description
Banks need to assess the degree of materiality inherent in the outsourced functions.
Outsourcing of non-financial processes, such as technology operations, is material and
if disrupted, has the potential to significantly impact business operations, reputation and
stability of a Bank.
12
Monitoring
and
Control of outsourced
activities
(V)
Confidentiality and
Security
Outsourcing
to
Foreign
Service
providers
(vi)
(vii)
Outsourcing within a
Group
(viii)
Handling customer
grievances
and
complaints
13
Component
IS Audit
(ii)
Outsourcing relating
to IS Audit
Planning an IS Audit
Executing IS Audit
Quality Review
Description
Because the IS Audit is an integral part of the Internal Auditors, auditors will also be
required to be independent, competent and exercise due professional care.
Risk evaluation should be performed prior to entering into an outsourcing agreement
and reviewed periodically in light of known and expected changes, as part of the
strategic planning or review process.
An Audit Charter / Audit Policy is a document which guides and directs the activities of
the Internal Audit function. IS Audit, being an integral part of the Internal Audit
function, should also be governed by the same Audit Charter / Audit Policy. The
document should be approved by the Board of Directors. IS Audit policy/charter should
be subjected to an annual review to ensure its continued relevance and effectiveness.
Banks need to carry out IS Audit planning using the Risk Based Audit Approach. The
approach involves aspects like IT risk assessment methodology, defining the IS Audit
Universe, scoping and planning the audit, execution and follow up activities.
During audit, auditors should obtain evidences, perform test procedures, appropriately
document findings, and conclude a report.
This phase involves reporting audit findings to the CAE and Audit Committee. Before
reporting the findings, it is imperative that IS Auditors prepare an audit summary
memorandum providing overview of the entire audit processing from planning to audit
findings.
It is to assess audit quality by reviewing documentation, ensuring appropriate
Network Intelligence India Pvt. Ltd. |
14
15
(c)
(d)
Responsibility description
Indian banks follow the RBI guideline of reporting all frauds above 1 crore to
their respective Audit Committee of the Board.
Banks are required to constitute a special committee for monitoring and follow
up of cases of frauds involving amounts of 1 crore and above exclusively,
while the Audit Committee of the Board (ACB) may continue to monitor all
the cases of frauds in general.
Separate Department to manage The activities of fraud prevention, monitoring, investigation, reporting and
frauds
awareness creation should be owned and carried out by an independent group
in the bank.
Fraud review councils
The council should comprise of head of the business,
head of the fraud risk management department, the head of operations
supporting that particular business function and the head of information
technology supporting that business function.
(ii)
(iii)
Component
Description
Fraud
prevention Various fraud prevention practices need to be followed by banks. These include fraud
practices
vulnerability assessments(for business functions and also delivery channels), review of
new products and processes, putting in place fraud loss limits, root cause analysis for
actual fraud cases above Rs.10 lakhs, reviewing cases where a unique modus operandi
is involved, ensuring adequate data/information security measures, following KYC and
Know your employee/vendor procedures, ensuring adequate physical security, sharing
of best practices of fraud prevention and creation of fraud awareness among staff and
customers.
Fraud detection
Quick fraud detection capability would enable a bank to reduce losses and also serve as
a deterrent to fraudsters. Various important requirements recommended in this regard
include setting up a transaction monitoring group within the fraud risk management
group, alert generation and redressal mechanisms, dedicated e-mail id and phone
number for reporting suspected frauds, mystery shopping and reviews.
Fraud investigation
The examination of a suspected fraud or an exceptional transaction or a customer
dispute/alert in a bank shall be undertaken by Fraud risk management group & special
committee.
Network Intelligence India Pvt. Ltd. |
16
(v)
(vi)
Reporting of frauds
As per the guidelines on reporting of frauds as indicated in the RBI circular, dated July
1, 2010, fraud reports should be submitted in all cases of fraud of 1 lakh and above
perpetrated through misrepresentation, breach of trust, manipulation of books of
account, fraudulent encashment of instruments like cheques, drafts and bills of
exchange, unauthorized handling of securities charged to the bank, misfeasance,
embezzlement, misappropriation of funds, conversion of property, cheating, shortages,
irregularities, etc.
Customer awareness Banks
on frauds
should thus aim at continuously educating its customers and solicit their participation in
various preventive/detective measures.
Employee awareness Employee awareness is crucial to fraud prevention. Training on fraud prevention
and training
practices should be provided by the fraud risk management group at various forums.
17
Responsibility description
Indian banks follow the RBI guideline of reporting all frauds above 1 crore to
their respective Audit Committee of the Board.
A senior official needs to be designated as the Head of BCP activity or
function
Present in each department to implement BCP department wise.
There needs to be adequate teams for various aspects of BCP at central office,
as well as individual controlling offices or at a branch level, as required.
Component
BCP Methodology
Description
Banks should consider various BCP methodologies and standards, like BS 25999, as
inputs for their BCP framework.
Key Factors to be Following factors should be considered while designing the BCP:
considered for BCP Probability of unplanned events, including natural or man-made disasters, earthquakes,
Design
fire, hurricanes or bio-chemical disaster
Security threats
Increasing infrastructure and application interdependencies
Regulatory and compliance requirements, which are growing increasingly complex
Failure of key third party arrangements
Globalization and the challenges of operating in multiple countries.
Testing a BCP
Banks must regularly test BCP to ensure that they are up to date and effective: Testing
of BCP should include all aspects and constituents of a bank i.e. people, processes and
resources (including technology).
Banks should consider having unplanned BCP drill, Banks should involve their Internal
Auditors (including IS Auditors) to audit the effectiveness of BCP etc. Various other
techniques shall be used for testing the effectiveness of BCP.
Maintenance and Re- BCPs should be maintained by annual reviews and updates to ensure their continued
assessment of Plans
effectiveness. Changes should follow the banks formal change management process in
Network Intelligence India Pvt. Ltd. |
18
6
7
place for its policy or procedure documents. A copy of the BCP, approved by the Board,
should be forwarded for perusal to the RBI on an annual basis.
Procedural aspects of Banks should also consider the need to put in place necessary backup sites for their
BCP
critical payment systems which interact with the systems at the Data centers of the
Reserve Bank.
Infrastructural
Banks should consider paying special attention to availability of basic amenities such as
aspects of BCP
electricity, water and first-aid box in all offices.
Human Aspect of Banks must consider training more than one individual staff for specific critical jobs,
BCP
They must consider cross-training employees for critical functions and documentoperating procedures.
Technology aspects Applications and services in banking system which are highly mission critical in nature
of BCP
and therefore requires high availability, and fault tolerance to be considered while
designing and implementing the solution.
19
Organization Structure:
SNo.
Responsibility description
Working group
Key Recommendations:
Banks need to follow a systematic process to develop an awareness programme through the stages of planning
and design, execution and management, and evaluation and course correction.
Awareness programs should be customized for the specific audience like bank customers, employees, law
enforcement personnel, fraud risk professionals, media partners, etc.
Building consensus among decision makers and stakeholders for financial and administrative support is an
important step in the programme. In this respect, both fixed and variable costs need to be identified.
Since the target groups obtain information from a variety of sources, more than one communication channel could
be used to engage them successfully.
A research group should be formed to continually update the communications team with the latest trends and
evolving modus operandi.
Evaluation of the effects of various campaigns for specific target groups can be measured through qualitative (e.g.
focus groups, interviews) and/ or quantitative (e.g. questionnaires, omnibus surveys) research.
20
At the industry level, each bank should have a documented policy, training mechanisms and research units.
Material can be pooled from these units to be used on a larger platform towards a common goal.
21
Responsibility description
(i)
Board
The Risk Management Committee at the Board-level needs to put in place, the
processes to ensure that legal risks arising from cyber laws are identified and
addressed. It also needs to ensure that the concerned functions are adequately
staffed and that the human resources are trained to carry out the relevant tasks
in this regard
(ii)
(iii)
Legal Department
The legal function within the bank needs to advise the business groups on the
legal issues arising out of use of Information Technology with respect to the
legal risk
identified and referred to it by the Operational Risk Group.
Key Recommendations:
Legal risk and operational risk are same. Most risks are sought to be covered by documentation, particularly
where the law is silent. Legal risks need to be incorporated as part of operational risks and the position need to be
periodically communicated to the top management and Board/Risk Management Committee of the Board.
As the law on data protection and privacy, in the Indian context are in an evolving stage, banks have to keep in
view the specific provisions of IT Act, 2000 (as amended in 2008), various judicial and quasi-judicial
pronouncements and related developments in the Cyber laws in India as part of legal risk mitigation measures.
Banks are also required to keep abreast of latest developments in the IT Act, 2000 and the rules, regulations,
notifications and orders issued there under pertaining to bank transactions and emerging legal standards on digital
signature, electronic signature, data protection, cheque truncation, electronic fund transfer etc. as part of overall
operational risk management process.
22
Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
(Report and Recommendations)
23