Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices

Posted On - 6 December, 2023 • By - Harish Kungnavur

The Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices issued by the Reserve Bank of India (RBI) is a comprehensive set of guidelines aimed at regulating and enhancing IT practices within specific financial entities. Here’s a condensed summary of its key aspects:

  1. Scope and Applicability:
    • Applicable to Non-Banking Financial Companies (NBFCs), Banking Companies, Credit Information Companies, and All India Financial Institutions, excluding NBFC-Core Investment Companies and local area banks.
  2. Key Directives:
    • IT Governance Framework: Mandates a robust governance structure, periodic risk assessments, and oversight mechanisms for IT and cyber/information security risks.
    • Role of Board of Directors: Approval and annual review of strategies and policies related to IT, Information Systems, Business Continuity, Information Security, and Cyber Security.
    • Board Level IT Strategy Committee: Establishment of a committee comprising technically competent directors to meet quarterly and oversee IT strategies.
    • Senior Management and IT Steering Committee: Responsible for executing Board-approved IT strategies, ensuring smooth IT operations, and fostering an IT risk-aware culture.
    • Head of IT Functions: Appointment of a senior-level IT official for key decision-making in IT-related matters.
    • IT Service Management: Implementation of a robust IT Service Management Framework, Service Level Management, security classification of information assets, and vendor risk assessment.
    • Capacity Management: Proactive assessment and management of capacity constraints concerning IT infrastructure.
    • Project Management: Adherence to standardized enterprise architecture planning, maintaining an enterprise data dictionary, and formalized project management for IT projects.
    • Change Management: Documented policies and procedures for managing changes, ensuring secure and timely reviews, and mechanisms for recovery from failed changes.
    • Data Migration Controls: Systematic data migration processes ensure integrity, completeness, and consistency of data.
    • Audit Trails and Cryptographic Controls: Requirement for audit trails in IT applications accessing critical information and adherence to international cryptographic standards.
    • Access Controls: Strict access control mechanisms, documented standards/procedures, multi-factor authentication for privileged users, and supervision of elevated access entitlements.
    • Physical and Environmental Controls: Implementation of suitable controls in Data Centers and Disaster Recovery, including surveillance and geographical separation.
    • Risk Management and Compliance: Incorporation of IT-related risks in the Risk Management Policy and establishment of a robust IT and Information Security risk management framework.
  3. Compliance Requirements:
    • Specific directives for Incident Response and Recovery Management, VA/PT Assessments, Teleworking Controls, Business Continuity, Disaster Recovery Management, and Information Systems Audit.

The directive emphasizes the importance of a secure, efficient, and well-governed IT infrastructure within these financial entities. It outlines various controls, governance structures, and risk management practices necessary to ensure compliance and minimize IT-related risks.