New Guidelines On Information Technology Governance for Regulated Entities : RBI
The Reserve Bank of India (RBI) recently released final guidelines on information technology (IT) governance for regulated entities (REs) like banks, non-bank financial companies, credit information companies, and other financial entities.
- The REs have been mandated to put in place a robust IT governance framework to cover focus areas like strategic alignment, risk and resource management performance, and Business Continuity/Disaster Recovery Management.
- This framework should specify the governance structure and processes necessary to meet the RE’s business/strategic
- The framework will specify the roles (including authority) and responsibilities of the Board of Directors, board-level Committee, and Senior Management.
- It will also address the issue of adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risks.
- The enterprise-wide risk management policy or operational risk management policy will incorporate periodic assessments of IT-related risks (both inherent and potential risks).
- The board of RE would approve the strategies and policies related to IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management/Cyber Crisis Management).
- They should review such strategies and policies at least annually.
- The RE will establish a Board-level IT Strategy Committee (ITSC), which will comprise a minimum of three directors.
- Its chairman would be an independent director and carry substantial expertise in managing/guiding information technology initiatives.
- The ITSC should meet at least on a quarterly basis.
- The committee will ensure that the RE has put an effective IT strategic planning process in place and will guide in preparation of IT strategy and ensure that the IT strategy aligns with the overall strategy of the RE towards accomplishment of its business objectives.
- The guidelines mandate REs to establish an IT steering committee with representation at senior management level from IT and business functions.
- This committee will assist the ITSC in strategic IT planning, oversight of IT performance and aligning IT activities with business needs, and will oversee the processes put in place for business continuity and disaster recovery.
- It will also ensure implementation of a robust IT architecture meeting statutory and regulatory
- Every IT application, which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails.
- The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements.
- The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes.