RBI Guidelines for Cyber Security Framework | Ardent Privacy

Implications of RBI Requirements

Pointer

Security policy and procedures requirements:

Define and adopt a comprehensive Cyber Security Framework that includes: –

  • The risks posed by cyber threats, as well as the actions to manage or reduce these risks, must be highlighted in a cyber-security strategy.
  • Banks must implement a cyber-security policy outlining a plan for combating cyber threats in light of the business's complexity and acceptable levels of risk.
  • The risk assessment approach may be used to identify major gaps in controls early on, and suitable corrective action can be recommended under the active supervision and monitoring of the IT Committee.
  • Put in place the measures specified in the Cyber Security Framework requirements.
Pointer

Monitoring and surveillance of the Infrastructure:

  • Establish a cyber-security testing/assessment procedure on a regular basis to uncover vulnerabilities/security issues in the bank's infrastructure/applications.
  • Establish a Cyber Security Operations Centre (C-SOC) for proactive monitoring with advanced technologies for detection, fast reaction, and data analytics.
  • Ensure that C-SOC covers requirements defined in the guidelines.
Pointer

Testing of the IT infrastructure and architecture audit:

  • Establish a cyber security testing/assessment program to identify vulnerabilities/ security flaws in Bank’s infrastructure/applications on a periodic basis.
  • Establish Cyber Security Operations Centre (C-SOC) for proactive monitoring using sophisticated tools for detection, quick response and backed by tools for data analytics.
  • Ensure that C-SOC covers requirements defined in guidelines.
Pointer

Setup network and database security:

  • Conduct a thorough evaluation of network (firewall rules, port opening/closing, etc.) and database (direct database access, back-end updates, etc.) security.
  • Define and document processes for appropriate business or operational requirements to get access to networks and databases.
Pointer

Securing Customer Information:

  • Bank is the owner of customer’s personal and sensitive information collected by the Bank.
  • Bank is responsible for securing customer information even when it is with the customer or with third party vendor.
Pointer

Setting up Cyber Crisis Management Plan:

  • Create a Cyber Crisis Management Plan (CCMP) that addresses the following needs during a breach: Detection, Response, Recovery, and Containment.
  • Examine the existing BCP/DR (Business Continuity Plan/Disaster Recovery) programme and ensure it is updated to satisfy the needs of modern cybersecurity.
  • Establishing preventive, detective, and corrective measures to safeguard the bank against cyber-threats and to identify, respond to, contain, and recover from any cyber-intrusions as soon as possible.
Pointer

Testing and assessment of the cyber security plan:

  • Define indicators to assess and measure adequacy of and adherence to cyber security/resilience framework.
  • Use indicators for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals.
Pointer

Incident monitoring and management processes:

  • Improve incident monitoring and management systems for information security incidents and cyber security efforts.
  • Process to be defined to report any abnormal cyber security incidents (whether successful or failed) to the Reserve Bank of India using the methodology outlined in the guidelines.
  • Update incident management policies and processes to cleanse and share cyber security issues
Pointer

Setting up an Information Security team:

  • Examine the information security organization structure, as well as the duties and responsibilities of the CISO, to verify that cyber security problems are effectively addressed inside the Bank.
Pointer

Training and awareness:

  • Hold cyber security awareness and training workshops for all important stakeholders, including the Board of Directors, top management, third-party vendors, customers, and employees.
The Trust Challenge

Challenges

The following are the issues created by the guidelines that the majority of organizations face:

Pointer

Manually managing data mapping and inventory to fulfil legal standards, as well as the organization's inability to centrally handle customer data in order to be controlled.

Pointer

Although the guidelines do not mandate the requirements for data destruction, one of the security precautions that must be followed is to erase sensitive data once the purpose has been accomplished.

Pointer

Organizations do not have a mechanism in place to generate record of assurance that provide the proof of permanent deletion.

Pointer

Organizations lack the ability to detect and filter out data that is part of a breach and has been shared to unauthorized persons.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Challenges

The following are the issues created by the guidelines that the majority of organizations face:

Pointer

Manually managing data mapping and inventory to fulfil legal standards, as well as the organization's inability to centrally handle customer data in order to be controlled.

Pointer

Although the guidelines do not mandate the requirements for data destruction, one of the security precautions that must be followed is to erase sensitive data once the purpose has been accomplished.

Pointer

Organizations do not have a mechanism in place to generate record of assurance that provide the proof of permanent deletion.

Pointer

Organizations lack the ability to detect and filter out data that is part of a breach and has been shared to unauthorized persons.

Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party “Privacy Intelligence” (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

“Data Minimization”: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

“Right to be Forgotten (RTBF)” with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us