Rbi Issues Guidelines To Improve Information Security And Prevent Cyber Frauds

By Author: eccuni
Total Articles: 211
Comment this article

The growing use of online banking and increased use of electronic channels for conducting transactions makes banking institutions favorite target of cybercriminals. Security breach at banks may lead to compromise of sensitive personal and financial information related to customers. Attackers may exploit vulnerabilities to gain unauthorized access, and view, extract, alter or delete privileged databases. Therefore, information security assumes high significance. Recently, Reserve Bank of India (RBI) issued guidelines on information security and preventing cyber fraud. The guidelines are part of RBI Working Group's recommendations on Information Security, Electronic Banking, Technology, Risk Management and Cyber Frauds. According to the RBI, the scope of information security not only includes information in spoken, written, printed, electronic and any other form, but also handling creation, viewing, transportation, storage and destruction of information. The guidelines require banks to have a board approved information security policy in place. The policy must be aligned to business objectives, define scope, information security ...
... organizational structure, roles and responsibilities. The policy must be annually reviewed and updated. Availability, confidentiality, integrity, authenticity and non-repudiation are considered the basic principles of information security. In the context of banks, RBI has emphasized on few more principles such as identification, authorization, accountability and auditability.

Banks must monitor the adherence of information security policy by employees and impose penalties for violation. The guidelines urge banks to define and address information security requirements during various stages of an IT assets lifecycle. The policy must provide for identification and classification of incidents, reporting procedures, evidence preservation and investigation. There must be specific policies for logical access control, e-mail security, password management, network security, Internet security, operating system security, encryption, patch management and other specific areas.

The guidelines emphasize on risk assessment, which must comprise of threat assessment, vulnerability assessment, qualitative and quantitative impact of each threat, identification and implementation of appropriate controls. The risk assessment process must identify the threats and vulnerabilities, which may affect the confidentiality, availability or integrity of IT assets.

As part of the fraud risk management, banks in India are required to establish a special committee for monitoring and follow-up of large value frauds involving INR 1 crore and above. Apart from special committee, the audit committee of the board monitors all the cases of fraud. The guidelines emphasize on creation of separate independent department to prevent, monitor, investigate, report and create awareness on frauds. RBI also recommends setting up of fraud review councils in each of the business groups of banks, which should assess preventive measures taken by respective groups on a quarterly basis.

The guidelines require banks to have proper fraud risk management mechanism in place. Fraud risk management must essentially comprise of fraud prevention practices, detection, investigation, reporting, customer awareness, employee awareness and training. The guidelines seek banks to create awareness among the customers on cyber fraud through newspapers, do's and don'ts lists on bank website, SMS alerts, messages on phone banking, messages on bank statements, advertisements in television and posters at branches and ATM centers. Online degree programs, security blogs and e-tutorials may also help customers in understanding and implementing cyber security guidelines.

Cyber security awareness among people is crucial to detect and prevent fraud and improve information security. Class-room training programs, e-learning, newsletters, online games, e-tests, detailed do's and don'ts list, discussions and e-mails may be used to create awareness among employees. IT professionals may regularly update their skills through online university degree programs. RBI has also recommended rewarding employees, who go beyond their job assignments to prevent frauds. RBI also suggests publication of details regarding such employees in bank newsletters.

Hiring professionals qualified in computer science degree and information security may help banks in identifying and mitigating threat vectors, proper implementation of information security policy and creating IT security conscious culture.