+91 9594449393
+1 4847906355
+63 9208320598
+44 1519470017
+84 908370948
+7 9639173485
+62 81808037776
+90 5441016383
+66 993367171
+254 725235855
+256 707194495
+46 700548490Offers internet banking facility to its customers (either view or transaction based)
Applicable to All the State Cooperative Banks and All District Central Cooperative Banks
National Bank for Agriculture and Rural Development (NABARD) is an apex development financial institution of the country, outlined to address the of an organizational device for resolving credit related issues linked with rural development. As per the Ref. NO. NB. DoS. Pol. HO./3182 / J- 1/2019-20, NABARD put forth a Comprehensive Cyber Security Framework for Rural Cooperative Banks (RCBs) - A Graded Approach for time bound implementation. Identification and assessment of the inherent risk helps the RCBs reduce the vulnerability of the technologies adopted, delivery channels, digital products being offered, internal and external threats etc.
As per the framework, RCBs have been categorized into four levels based on their digital depth and interconnectedness to the payment systems landscape. levels are defined as below:
Level 1:
Criteria - All RCBs
Regulatory Prescription - Level I controls prescribed in Annexure-I
In addition to the controls, the banks may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) tool Annexure-I A
Level 2:
Criteria - All RCBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:
-
-
Provides Mobile Banking facility through application (Smart phone usage)
-
Is a direct Member of CTS/IMPS/UPI.
Regulatory Prescription - Level II controls given in Annexure-II, in addition to Level I controls.
Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.
Level 3:
Criteria - RCBs having at least one of the criteria given below:
-
Direct members of CPS
-
Having their own ATM Switch
-
Having SWIFT interface
Regulatory Prescription - Level III controls given in Annexure-III, in addition to Level I and II controls.
Additional controls include Advanced Real-time Threat Defense and Management, Risk based transaction monitoring.
Level 4:
Criteria - RCBs which are members/sub-members of CPS and satisfy at least one of the criteria given below:
-
Having their own ATM Switch and having SWIFT interface
-
Hosting data center or providing software support to other banks on their own or through their wholly owned subsidiaries
Regulatory Prescription - Level IV controls given in Annexure-IV, in addition to Level I, II and III controls. Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.
The Board of Directors is ultimately responsible for the information security of the bank.
RCBs shall undertake a self-assessment of the level in which they fit into based on the criteria given in the table.
All RCBs shall comply with the control requirements prescribed in Annexure-I within three months from the date of issuance of this circular. Similarly, Level II, III and IV RCBs are required to implement additional controls prescribed in Annexures-II, III and IV respectively.
The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.
Annexure-1
Baseline Cyber Security and Resilience Requirements - Level
-
Inventory Management of Business IT Assets
-
Board approved Cyber Security Policy
-
Cyber Security policy should be distinct from the IT policy/IS Policy
-
IT Architecture/Framework should be security compliant
-
Cyber Crisis Management plan
-
Cyber Intrusions
-
-
Preventing access of unauthorized software
-
Environmental Controls
-
Network Management and Security
-
Secure Configuration
-
Antivirus and Patch Management
-
User Access Control/Management
-
Secure mail and messaging systems
-
Removable Media
-
User/ Employee / Management Awareness
-
Customer Education and Awareness
-
Backup and Restoration
-
Data Leak Prevention Strategy
-
Vendor/Outsourcing Risk Management
-
Supervisory Reporting Framework - Reporting of Cyber Incidents
-
Chief Information Security Officer (CISO)
-
IT Steering Committee
-
Information Security Committee
-
Audit Committee of Board (ACB)
-
RRBs may assess their preparedness on Level I controls on a periodic basis and use the Vulnerability Index for Cyber security Framework (VICS) tool as a guidance for the same.
Annexure-1A
The Vulnerability Index for Cyber Security Framework (VICS) covers four major areas, viz.
-
Baseline Cyber Security Framework (CSF),
-
Policy strength,Vendor management and Cyber Security Crisis Management Plan through 30 major topics.
Annexure-II
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I)
-
Network Management and Security
-
Secure Configuration
-
Application Security Lifecycle (ASLC)
-
Change Management
-
Periodic Testing
-
User Access Control/Management
-
Authentication Framework for Customers
-
Anti-Phishing
-
User/Employee/Management Awareness
-
Audit Logs
-
Incident Response and Management
Annexure-III
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I & II)
-
Network Management and Security
-
Secure Configuration
-
Application Security Lifecycle (ASLC)
-
User Access Control
-
Advanced Real-time Threat Defense and Management
-
Maintenance, Monitoring and Analysis of Audit Logs
-
Incident Response and Management
-
Risk based transaction monitoring
Annexure-IV
Level II - Baseline Cyber Security and Resilience Requirements (in addition to the requirements given in Annexure-I, II & III)
-
Arrangement for continuous surveillance - Setting up Of Cyber Security Operation Centre (C-SOC)
-
Expectations from C-SOC
-
Steps for setting up C-SOC — Technological Aspects
-
-
Participation in Cyber Drills
-
Incident Response and Management
-
Forensics and Metrics
-
IT Strategy and Policy
-
IT and IS Governance Framework
-
Security Team/Function
-
IT Strategy Committee
-
IT Steering Committee
-
Chief Information Security Officer (CISO)
-
Information Security Committee
-
