Master Direction on Information

Technology Governance, Risk,

Controls and Assurance Practices

This document is neither a legal interpretation nor a statement of the RBI's directive. All information is posted merely for educational
and informational purposes. It is not intended as a substitute for professional advice. Should you decide to act upon any information in
this document, you do so at your own risk.
ABOUT US
Amongst the Largest
Players in this segment in
The Digital Fifth is India’s first Asia

Fintech Consulting and Advisory firm.

Have Mentored
Leading Founders &
Since its inception in 2017, The Digital Fifth has been the Digital Leaders

go-to solution finder for Banks, NBFCs, Fintechs and other

BFSI entities across the board. Recognized as strong
influencers on Fintech,
Digital & Open Banking
We work closely with our clients to find and implement
synergistic partnerships, connect with the right customers,
Sizeable Network in
execute product roadmaps and help them gain a unique Fintech Industry

positioning in the industry.

IT Master Direction by RBI is applicable to the
following REs:

Scheduled Commercial Banks (excluding Payments Banks All India Financial Institutions (NHB,
Regional Rural Banks) NABARD, EXIM Bank, SIDBI & NaBFID

Small Finance Banks All NBFCs in Top, Upper and Credit Information Companies
Middle Layers
Requirement of the Unified IT Master Direction
for Regulated Entities

Single Reference Point Unification of IT Governance Increased Information and

Instead of multiple circulars for for REs Cybersecurity
different entitles, now there’s one With swift move towards
Single Master Direction for all REs will
frame of reference for all REs. It digitalization and increasing threats,
ease the governance and compliance
enables easy understanding and the master direction brings the
management & also enable the
implementation of the required required structure and procedures to
learnings and understanding inter-
policies make the banking systems more
operable
secure.
 Overview

RBI Master Direction

Draft Master Direction updating and consolidating the instructions relating
to Information Technology (IT) Governance and Controls, Business
Continuity Management and Information Systems Audit

Applicable Date
Directions will come into effect six months form the date of issue

Focus on 7 Domains
RBI Master Directions covers the 7 different domains,
comprehensively highlighting the policies, frameworks and controls
that need to put in place
RBI Master Direction : 7 Chapters

Business Continuity and Disaster

01 Preliminary 05 Recovery Management

02 IT Governance 06 Information Systems (IS) Audit

IT Infrastructure & Service

03 Management 07 Repeal and Other Provisions

04 IT Risk & Information Security

Chapter 2: IT Governance

Robust IT Governance IT strategy committee

Framework Board-level IT Strategy Committee (ITSC) with a minimum of two
directors as members and must meet on quarterly basus
Comprising of governance structure and processes meeting
the RE’s business/ strategic objectives including:

• Oversight mechanisms to ensure accountability and

mitigation of business risks CEOs Head Of IT
• IT Strategies and Policy approval by the board and annual
Overall responsibility and • Support IT functions
review IT Steering
• Key focus areas include strategic alignment, value oversight on the plan and • First line of defense
delivery, risk management, resource management,
execution of IT Strategy
• Committee
Senior management
• Effective assessment
performance alignment and business continuity/disaster
representation
recovery management evaluation & management
• Implementation of strategy
of IT risk
• Shall meet quarterly
Chapter 3: IT Infrastructure & Services Management
IT Services Management Project Management

• Supporting IT systems to ensure the operational resilience of the entire IT • Adoption of new/emerging technologies or revamping the existing one

environment of the RE must follow a standard enterprise architecture planning

• Service Level Management – effective segregation of duties methodology/framework.

• Annual Maintenance Contract • Major projects with significant impact on RE’s risk profile must be

• Appropriate vendor risk assessment and controls proportionate to the risk reported to IT Strategy Committee
• Ensuring that source cores for all critical applications are received from the
and materiality assessed
vendors or presence of a software escrow management

Capacity Management Change Management

• Assess capacity constraint in relation to past trend, business activities and
• Handling any changes in tech and processes and assess effectiveness
address the issues effectively
• Data Migration Controls
• Annual assessment of capacity vs the expectations
• Outsourcing of IT Services
• Ensure availability of all service delivery channels
• Audit Trials – effective log management & retention framework
• REs shall be guided by extant instructions on Outsourcing of IT services
Chapter 4: IT Risk and Information Security
Robust IT framework
• Identification of RE’s IT assets and
security classification
• Objective and periodic assessment of
internal and external risks
• Critical Information Infrastructure
Information security
Management
• Controls to ensure secure storage/
transmission/ processing of data/ information
• Consider implementing security standards/ IT
control frameworks (such as ISO 27001) for
their critical functions.
IT Risk Metrics
System performance, recovery and business
resumption, including Recovery Point
Objective (RPO) and Recovery Time
Objective (RTO)
Role of CISO
• No direct relationship with the Head of IT
• Drive and ensure compliance regulations on
cyber security.
• Invitee to the IT Strategy Committee and IT
Steering Committee
• Develop cyber security KRIs and KPI
Information Security
Policy & Cyber Security
Policy
• ISP includes all business information and
compliance of the same
• CSP includes Detection, Response,
Recovery and Containment.
Privacy & Access Controls
• Strong emphasis on Privacy
Chapter 5: Business Continuity and Disaster
Recovery Management
Business Continuity Plan
• Adoption of best practices based on
international standards such as ISO
22301
• Reducing the likelihood or impact of
the disruptive incidents
• Test and prepare contingencies, to
ensure that it is up-to-date and
effective
• Ensuring configurations of servers,
network devices and other products at
the DC and DR need to be identical
Disaster Recovery Management
• Robust DR architecture and procedures
• Periodicity of DR drills for critical systems
• Backup of data and periodical restoring
backed-up data for usability check
• Alternate location to resume operation in
case of breach or trouble
• For scenario – non-zero PRO, presence of
documented methodology for data
reconciliation need to be in place
Chapter 6: Information systems Audit

• Audit Committee of the Board (ACB)/ Local Management Committee ((LMC) in

case of foreign banks) shall be responsible for exercising oversight of IS Audit of
the Res.
• Audit Audit Policy- Approved by the ACB/ LMC and reviewed at least annually.
• ACB/ LMC shall review critical issues highlighted related to IT/ information
security/ cyber security and provide appropriate direction and guidance to the
RE’s Management.
• IS Auditors shall act independently of the RE's management. Also can use external
resources for the same if skills are lacking with RE
• REs can adopt a risk-based audit, a continuous auditing approach for critical
systems, performing control and risk assessments or may have a standardised
checklist
• IS audit reports shall be placed before the Senior Management, ACB and the
compliance shall be ensured within the time frame as outlined in the audit policy
of the RE
Chapter 7: Repeal and other provisions

All previous guidelines/circulars/directions covering the following topics have been repealed :
• Risks and Control in Computer and Telecommunication Systems
• Information System Audit – A Review of Policies and Practices
• Operational Risk Management – Business Continuity Planning
• Business Continuity/Disaster Recovery Planning
• Phishing Attacks
• Disaster Recovery (DR) drill and Vulnerability Assessment – Penetration Testing (VAPT)
• Sharing of Information Technology Resources by Banks – Guidelines
• Information Security
• Security Incident Tracking Platform - Reporting thereon
• Risk Governance Framework-Role of Chief Information Security Officer (CISO)

2 Major circulars have been kept aside from the RBI IT Master Direction -
• Draft Master Direction on Outsourcing of Information Technology (IT) Services
• RBI Guidelines on Cyber Security
Impact

Impact on CICs & NBFCs

Alignment of the structure IT Controls, Policies Strengthening Partnership
and Framework under the new direction
Strengthening partnerships between Banks
& Fintech by providing the comprehensive
IT Technology guidelines and control to
implement

Impact on Payments Banks &

SFBs
• Not much specific comprehensive
guidelines were present for Payments Banks
& SFBs
• Unified IT Master Direction to cover all the
different IT measures Assurance of Security & privacy
Assuring the Indian Financial Ecosystem
with regarding to the Information Security
and Dara Security
How can we help you?
Compliance Advisory Process

Services
• Gap Assessment – Assessing Gaps against the
standard RBI guidelines/directions/regulations
• Development of Policy and procedures and
Implementing Policy Control Measures and
Mechanisms
• Governance & Risk Management Framework
• Implementation of ISO Standards such as ISO
22301 & ISO 27001
• RBI Audit Preparedness and Compliance
Management/Review
Stay Connected
Kindly reach out to us with your valuable feedback!

shashank@thedigitalfifth.com TheDigitalFifth.com

linkedin.com/company/thedigitalfifth twitter.com/thedigitalfifth

youtube.com/c/thedigitalfifth 91 springboard Lotus, Andheri East

This document is neither a legal interpretation nor a statement of the RBI's directive. All information is posted
merely for educational and informational purposes. It is not intended as a substitute for professional advice.
Should you decide to act upon any information in this document, you do so at your own risk.