---
title: "Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices"
date: 2023-12-06
author: "Harish Kungnavur"
url: https://ksandk.com/newsletter/master-direction-on-information-technology-governance-2/
---

# Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices

Posted On - 6 December, 2023 • By - Harish Kungnavur

The Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices issued by the Reserve Bank of India (RBI) is a comprehensive set of guidelines aimed at regulating and enhancing IT practices within specific financial entities. Here’s a condensed summary of its key aspects:

1. **Scope and Applicability:**
  - Applicable to Non-Banking Financial Companies (NBFCs), Banking Companies, Credit Information Companies, and All India Financial Institutions, excluding NBFC-Core Investment Companies and local area banks.
2. **Key Directives:**
  - **IT Governance Framework:** Mandates a robust governance structure, periodic risk assessments, and oversight mechanisms for IT and cyber/information security risks.
  - **Role of Board of Directors:** Approval and annual review of strategies and policies related to IT, Information Systems, Business Continuity, Information Security, and Cyber Security.
  - **Board Level IT Strategy Committee:** Establishment of a committee comprising technically competent directors to meet quarterly and oversee IT strategies.
  - **Senior Management and IT Steering Committee:** Responsible for executing Board-approved IT strategies, ensuring smooth IT operations, and fostering an IT risk-aware culture.
  - **Head of IT Functions:** Appointment of a senior-level IT official for key decision-making in IT-related matters.
  - **IT Service Management:** Implementation of a robust IT Service Management Framework, Service Level Management, security classification of information assets, and vendor risk assessment.
  - **Capacity Management:** Proactive assessment and management of capacity constraints concerning IT infrastructure.
  - **Project Management:** Adherence to standardized enterprise architecture planning, maintaining an enterprise data dictionary, and formalized project management for IT projects.
  - **Change Management:** Documented policies and procedures for managing changes, ensuring secure and timely reviews, and mechanisms for recovery from failed changes.
  - **Data Migration Controls:** Systematic data migration processes ensure integrity, completeness, and consistency of data.
  - **Audit Trails and Cryptographic Controls:** Requirement for audit trails in IT applications accessing critical information and adherence to international cryptographic standards.
  - **Access Controls:** Strict access control mechanisms, documented standards/procedures, multi-factor authentication for privileged users, and supervision of elevated access entitlements.
  - **Physical and Environmental Controls:** Implementation of suitable controls in Data Centers and Disaster Recovery, including surveillance and geographical separation.
  - **Risk Management and Compliance:** Incorporation of IT-related risks in the Risk Management Policy and establishment of a robust IT and Information Security risk management framework.
3. **Compliance Requirements:**
  - Specific directives for Incident Response and Recovery Management, VA/PT Assessments, Teleworking Controls, Business Continuity, Disaster Recovery Management, and Information Systems Audit.

The directive emphasizes the importance of a secure, efficient, and well-governed IT infrastructure within these financial entities. It outlines various controls, governance structures, and risk management practices necessary to ensure compliance and minimize IT-related risks.

---

## Office Locations                                                                                                                                                     
                                               
  - [New Delhi](https://ksandk.com/locations/top-corporate-law-firm-in-delhi/) (HQ): +91-11-41318190 | info@ksandk.com                                                    
  - [Mumbai](https://ksandk.com/locations/top-corporate-law-firm-in-mumbai/): 3 offices (Nariman Point, Lower Parel, Andheri) | mumbai@ksandk.com
  - [Bangalore](https://ksandk.com/locations/top-corporate-law-firm-in-bangalore/): bangalore@ksandk.com                                                                  
  - [Chennai](https://ksandk.com/locations/chennai/): chennai@ksandk.com                                                                                                  
  - [Hyderabad](https://ksandk.com/locations/hyderabad/): hyderabad@ksandk.com                                                                                            
  - [Pune](https://ksandk.com/locations/pune/): pune@ksandk.com                                                                                                           
  - [Kochi](https://ksandk.com/locations/kochi/): kochi@ksandk.com
                                                                                                                                                                          
  ## Contact                                   
                                                                                                                                                                          
  - [Contact Page](https://ksandk.com/contact-us/)
  - General: info@ksandk.com | +91-11-41318190
  - WhatsApp: +91-7428567444
  - [Privacy Statement](https://ksandk.com/privacy-statement/)                                                                                                            
  - [Terms of Use](https://ksandk.com/terms-of-use/)