Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices

The Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices issued by the Reserve Bank of India (RBI) is a comprehensive set of guidelines aimed at regulating and enhancing IT practices within specific financial entities. Here’s a condensed summary of its key aspects:

1. Scope and Applicability:
   • Applicable to Non-Banking Financial Companies (NBFCs), Banking Companies, Credit Information Companies, and All India Financial Institutions, excluding NBFC-Core Investment Companies and local area banks.
2. Key Directives:
   • IT Governance Framework: Mandates a robust governance structure, periodic risk assessments, and oversight mechanisms for IT and cyber/information security risks.
   • Role of Board of Directors: Approval and annual review of strategies and policies related to IT, Information Systems, Business Continuity, Information Security, and Cyber Security.
   • Board Level IT Strategy Committee: Establishment of a committee comprising technically competent directors to meet quarterly and oversee IT strategies.
   • Senior Management and IT Steering Committee: Responsible for executing Board-approved IT strategies, ensuring smooth IT operations, and fostering an IT risk-aware culture.
   • Head of IT Functions: Appointment of a senior-level IT official for key decision-making in IT-related matters.
   • IT Service Management: Implementation of a robust IT Service Management Framework, Service Level Management, security classification of information assets, and vendor risk assessment.
   • Capacity Management: Proactive assessment and management of capacity constraints concerning IT infrastructure.
   • Project Management: Adherence to standardized enterprise architecture planning, maintaining an enterprise data dictionary, and formalized project management for IT projects.
   • Change Management: Documented policies and procedures for managing changes, ensuring secure and timely reviews, and mechanisms for recovery from failed changes.
   • Data Migration Controls: Systematic data migration processes ensure integrity, completeness, and consistency of data.
   • Audit Trails and Cryptographic Controls: Requirement for audit trails in IT applications accessing critical information and adherence to international cryptographic standards.
   • Access Controls: Strict access control mechanisms, documented standards/procedures, multi-factor authentication for privileged users, and supervision of elevated access entitlements.
   • Physical and Environmental Controls: Implementation of suitable controls in Data Centers and Disaster Recovery, including surveillance and geographical separation.
   • Risk Management and Compliance: Incorporation of IT-related risks in the Risk Management Policy and establishment of a robust IT and Information Security risk management framework.
3. Compliance Requirements:
   • Specific directives for Incident Response and Recovery Management, VA/PT Assessments, Teleworking Controls, Business Continuity, Disaster Recovery Management, and Information Systems Audit.

The directive emphasizes the importance of a secure, efficient, and well-governed IT infrastructure within these financial entities. It outlines various controls, governance structures, and risk management practices necessary to ensure compliance and minimize IT-related risks.