What can we learn from Reserve Bank of India's security best practices?

This is a contributed piece from Tim White, director of product management and policy compliance at Qualys


Banks have always been priority targets for theft. Willie Sutton, an American bank robber in the 1920s and 30s, is said to have stated that he robbed banks, “because that’s where the money is”. Today, the growth of online banking has meant that more attacks have moved online too.

For India, the Reserve Bank of India (RBI) is the country's central banking and monetary authority. RBI has seen the number, frequency, and impact of cyber incidents on Indian banks increase substantially over the past few years. In response, this body put together a set of cyber security standards for banks in India. These standards provide guidance on the baseline security practices that should be in place to protect banks and their IT infrastructure against attack.

Getting security embedded in banking IT

Banks are expanding their IT spending in response to more people moving over to official bank accounts and services. Alongside specific local trends based on demonetisation and the shift away from paper currency, banks are working on digital transformation projects to serve customers more efficiently. This will lead to an increase in IT spending by banking and securities firms in India to $8.9 billion, equivalent to a growth of 8.6 percent in 2017, according to analyst firm Gartner.

As these projects are implemented, bank IT teams have a wide range of best practices to follow, as set out by the RBI. These 24 practices can be broken down into the following groups:

  1. Asset management – from putting together a full IT asset inventory through to environmental controls, secure configuration management, vulnerability and change management, auditing and log management, through to vulnerability assessment and penetration testing
  2. Software management – from preventing execution of unauthorised software through to full application lifecycle management and security
  3. Environment management – from network security and management, vendor risk assessment and third party security
  4. User management – from providing an authentication framework for customers to access their online services, through to education for both internal staff and customers on security requirements and anti-phishing
  5. Security management – covering the requirements for security best practice from incident response plans and forensic investigation processes through to metric design and key risk indicators

Alongside these practices, banks have to install or update a security operations centre (SOC) to ensure that these practices are followed. The SOC is responsible for reporting on all security activities, ensuring that the Board at the bank are aware and involved in cybersecurity strategies, and responsible for reporting any breach if and when one takes place. To complete this set of guidance, RBI provided a template for data breach notification information that should be used for any future incident.

The main element in the RBI guidance is that security is a Board level issue. All bank Boards must have an approved cybersecurity policy in place that provides insight into how the bank approaches security and risk and shared back to the RBI. Each bank has considered its current technologies and approach to security, its channels used and its customers, as well as how to undertake continuous surveillance of operations and customer activities to prevent attacks.

Financial services and digital transformation

Based on these frameworks, all banks in India have completed their initial planning around security. However, the pace of change in the banking and financial services industry means that there are pressures in place to keep up with what is taking place in the sector.

Many banks are continuing to develop their business strategies around digital transformation. They also have to keep their security plans and processes up to date with the latest internal changes and services launches, as well as the newest security risks and attacks. To help in this, there are several approaches that can help:

The first key change is more integration

The development of the SOC at each bank will use information from across all the bank’s security tools and operations and use this data to monitor activity. With security information and event management (SIEM) platforms in place, banks can ensure they have a real-time overview of all operations to reduce and manage risk.

With SIEM, banks should have that integrated approach in place to spot any Indicators of Compromise or IoCs. Removing manual work from the analysis of data – for example, in audit log analysis – can help keep security staff efficient and speed up the discovery of any potential issues. This includes looking at how information from each security tool is shared and how APIs can be used to exchange information between them.

The second key change for banks to consider is how automation of activities can help

With so many bank channels moving to online or mobile device delivery, and with the use of cloud platforms for hosting services rising as well, areas like vulnerability management and assessment have to scale up as well.

Making this simpler through automation of scanning can help spot issues earlier and improve speed of patching. This should cover web applications, central applications and traditional IT infrastructure through to individual endpoint PCs.

The third element will be consolidation of security

Each area of security may have at least one product or service associated with it; for significant areas from network security and anti-malware through to asset management, there may be multiple products in place. While integration between these products can ease the management burden, further consolidation of products may also be considered to reduce overheads too. For products that can’t use APIs or don’t cover all the multiple platforms that banks have in place, replacement with consolidated services will beckon.

For bank IT teams, the combination of greater integration, more automation of analysis and consolidation down to fewer tools will help manage costs associated with security. Banks will continue to invest in order to achieve defence in depth, but the move to more automation will help their security teams better manage their future workloads and keep pace with their digital transformation ambitions.


« Three unique security solutions to take note of


Why business demand for advanced weather data is heating up »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?