Cyber Security Framework for Banks

Questions and Answers

According to the RBI's cyber security guidelines, what is the required approach for banks regarding their cyber security policies and technologies?

• Adopt the same cyber security measures as other banks to maintain uniformity.
• Pro-actively create, fine-tune, and modify policies based on new developments and emerging concerns. (correct)
• Implement measures that remain static over time to ensure consistency.
• Focus solely on reactive measures, addressing incidents only as they occur.

Why should a bank's Cyber Security Policy be distinct from its broader IT or IS Security policy?

• To reduce the overall compliance burden by consolidating security efforts.
• To highlight the specific risks from cyber threats and the measures to address them. (correct)
• To ensure that cyber security risks are managed by a separate, specialized team.
• To align with international standards that mandate separate policies.

What is the primary purpose of a Security Operations Centre (SOC) in the context of cyber security for banks?

• To ensure continuous surveillance and stay updated on emerging cyber threats. (correct)
• To conduct regular audits of the bank's physical security infrastructure.
• To manage the bank's IT infrastructure and provide technical support to employees.
• To serve as a physical location for storing sensitive customer data.

When should banks report cyber security incidents to the Reserve Bank of India (RBI)?

For all unusual cyber security incidents, whether successful or unsuccessful, within a specified timeframe. (A)

According to the guidelines, what should banks consider as part of their Cyber Crisis Management Plan (CCMP)?

That traditional BCP/DR arrangements might be inadequate and need to be revisited. (C)

What key aspects should a Cyber Crisis Management Plan (CCMP) address?

Detection, Response, Recovery and Containment (A)

Who should have a fair degree of awareness of the fine issues related to cyber threats?

The entire organization, staff at all levels and the Top Management and Board (C)

Why is collaboration in sharing cyber-incidents and best practices important?

Facilitates timely measures in containing cyber-risks (B)

What key aspect should banks consider when designing their IT architecture to ensure security?

Facilitating security measures to be in place at all times. (B)

What should banks do with the risk cost/potential cost trade off decisions?

Record them in writing to enable an appropriate supervisory assessment subsequently (B)

Why is it essential to thoroughly review network security in every bank, particularly regarding network/database connections?

To prevent unauthorized access and address vulnerabilities from connections left open due to oversight. (B)

When banks depend on technology and cutting-edge digital products, what should they do with the customer information?

Take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same (B)

According to Annex 1, what should an up-to-date inventory of Assets include?

Business data/information including customer data/information, business applications, supporting IT infrastructure and facilities hardware/software/network devices, key personnel, services, etc. indicating their business criticality. (B)

According to the cybersecurity framework in Annex 1, what factors should be considered when appropriately managing and providing protection within and outside an organization's borders or network?

Taking into consideration how the data/information are stored, transmitted, processed, accessed and put to use within/outside the bank's network, and level of risk they are exposed to depending on the sensitivity of the data/information. (C)

According to the cybersecurity framework in Annex 1, what is the best way to handle unauthorised software and applications?

Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems (C)

What should organizations do when patches are released?

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. (A)

What should organizations do with respect to environmental controls?

Put in place appropriate environmental controls for securing location of critical assets providing protection from natural and man-made threats. (B)

According to cybersecurity best practices in Annex 1, how should organizations manage the interconnection of their LAN/WAN interfaces with external networks?

Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between bank's network to external network and interconnections with partner, vendor and service provider networks are to be securely configured. (C)

If there are applications that are integrated, how should this be handled?

Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto (C)

How can companies ensure that login attempts aren't compromised?

Implement controls to minimize invalid logon counts, deactivate dormant accounts (D)

What is a component that needs to be implemented for customers?

Implement authentication framework/mechanism to provide positive identity verification of bank to customers. (D)

How should banks treat all information resources online/in person?

Reserve Bank of India shall have access to all information resources (online/in person) that are consumed by banks, to be made accessible to RBI officials by the banks when sought, though the infrastructure/enabling resources may not physically be located in the premises of banks. (D)

What actions should organizations take to prevent malware?

Advanced Real-time Threat Defence and Management: Build a robust defense against the installation, spread, and execution of malicious code at multiple points in the enterprise. (D)

What types of protection must organizations implement?

Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices (Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring. (B)

In addition to anti-virus, what web gateway protection is advisable?

Consider implementing secure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway (A)

What are some requirements for log settings?

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software, ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction. (D)

One of the expectations from an SOC is:

Ability to Provide real-time/near-real time information on and insight into the security posture of the bank (B)

What are the minimum requirements for Level 1 monitoring staff?

The Level 1 monitoring by adequately trained staff working round the clock is the first step. They need to have training and product/ vendor certification to handle the tasks efficiently. (A)

What are some of the most important skills for the top level staff?

Level 3 staff are called the SoC analysts. They have profound knowledge of security, perform deep packet analysis, collection of IOC, forensic knowledge for collection of evidence, malware reverse engineering and write custom scripts whenever required. (A)

What are some issues that banks face when hiring and managing people for SOC?

Banks need to seriously consider practical ways of tackling the following issues when it comes to hiring and managing staff/people for SOC. It is not any other function in the bank. There has to be a different approach because such personnel with required skill sets that are hard to find and retain. (C)

During a Cyber Security Incident Reporting, what needs to be reported to the RBI?

Security Incident Reporting (SIR) to RBI (within two to 6 hours): (D)

During a Cyber Security Incident Reporting, what is a detail that must be reported related to incidents?

Date and time of incident detection (A)

According to cybersecurity framework, how should organizations treat all information resources online/in person?

Reserve Bank of India shall have access to all information resources (online/in person) that are consumed by banks, to be made accessible to RBI officials by the banks when sought, though the infrastructure/enabling resources may not physically be located in the premises of banks. (B)

Flashcards

Cyber Security Framework

A framework for banks to protect IT operations.

Cyber-security Policy

A directive for banks to immediately establish a cybersecurity policy.

Distinct Cyber Security Policy

The need for a cybersecurity policy to be distinct and separate from the broader IT policy.

Continuous Surveillance

Continuous vulnerability assessments to detect unanticipated cyber-attacks.

Security Operations Centre (SOC)

A center that ensures continuous surveillance and keeps updated on emerging cyber threats.

Security-Conducive IT Architecture

A bank's IT architecture should facilitate security measures at all times.

Controlled Network Access

Unauthorized access to networks and databases is not allowed, using well-defined processes.

Data protection

Protecting the Confidentiality, Integrity, and Availability of customer information.

Cyber Crisis Management Plan (CCMP)

A plan for banks to manage and respond to cyber incidents.

CCMP Four Aspects

Detection, Response, Recovery, and Containment.

Cyber Resilience Assessment

Assessing the adequacy of cyber resilience through indicators and compliance checks.

Reporting Cyber Incidents

Banks need to report all unusual cybersecurity incidents.

Incident Reporting

Banks are required to report details on information security incidents including cyber-incidents to RBI.

Gap Assessment

Identify gaps in security controls early, take remedial action, and have a report ready.

Review Organization

Review organizational structures to ensure security concerns are addressed and escalated.

Cyber-security awareness

High awareness of cyber risks at all staff levels

Patch management

A documented risk-based strategy to minimize the number of vulnerable systems.

Secure Access

To provide secure access to bank assets and services from within/outside the bank's network.

Security Incident Response

Preventing, detecting, and responding to security incidents.

SOC Expectations

To protect critical business, customer data/information and demonstrate compliance.

SOC Responsibilities

To monitor, analyze and escalate security incidents.

Data protection

Appropriately manage and provide protection within and outside the organisation borders/network

Data classification

Classify data/information based on information classification/sensitivity criteria of the bank

Asset Inventory

Maintaining an up-to-date inventory of assets.

IT Sub-committee

IT Sub-committee level reviewed.

Study Notes

Cyber Security Framework

• Issued on Jyeshtha 12, 1938 (saka), June 2, 2016
• A letter addressed to the Chairman/ Managing Director /Chief Executive Officer of All Scheduled Commercial Banks (excluding Regional Rural Banks)

Introduction

• The use of IT by banks has significantly increased and is essential to banks' operational strategies

• The Reserve Bank provided guidelines via Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, including:

  • Information Security
  • Electronic Banking
  • Technology Risk Management
  • Cyber Frauds (G.Gopalakrishna Committee)

• Banks must proactively adjust policies, procedures, and technologies to address new developments and concerns, as measures suggested for implementation cannot be static.

• Technology use by banks has gained momentum

• The number, frequency, and impact of cyber incidents/attacks on the financial sector has increased

• Highlights the urgent need for a cyber-security/resilience framework and adequate cyber-security preparedness.

• Resilience of the banking system must be enhanced

• Defenses for addressing cyber risks must be improved, including an adaptive Incident Response, Management, and Recovery framework to deal with disruptions.

Need for a Board Approved Cyber-Security Policy

• Banks should create a cyber-security policy that explains the strategy for combating cyber threats, considering business complexity and risk, approved by the Board
• A confirmation may be communicated to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Reserve Bank of India, Central Office, World Trade Centre-I, 4th Floor, Cuffe Parade, Mumbai 400005, no later than September 30, 2016.

Cyber Security Policy Distinction

• Cyber Security Policy should be distinct from the broader IT policy/IS Security Policy
• Should highlight the risks from cyber threats and ways to mitigate them

Inherent Risks and Controls

• Size, systems, technological complexity, digital products, stakeholders, and threat perception vary from bank to bank
• It is of utmost importance to identify the inherent risks and controls for an appropriate cyber-security framework
• Banks must consider adopted technologies, alignment with business and regulatory requirements, connections established, delivery channels, online/mobile products, technology services, organizational culture, and internal & external threats when assessing risks.
• Banks should categorize riskiness (low, moderate, high, very high) based on the level of inherent risks.
• Risk should also be factored in
• Banks should outline:
  • Board oversight
  • Policies
  • Processes
  • Cyber risk management architecture (experienced resources)
  • Training and culture
  • Threat intelligence gathering arrangements
  • Monitoring and analyzing threat intelligence
  • Information sharing arrangements
  • Cyber security controls
  • Vendor management
  • Incident management & response

Continuous Surveillance Arrangement

• Testing for vulnerabilities at reasonable intervals.
• A SOC (Security Operations Centre) must be set up to ensure continuous surveillance and stay updated on the latest cyber threats

IT Architecture and Security

• IT architecture should facilitate the implementation of security measures.
• Should be reviewed by the IT Sub Committee, upgraded as needed.
• Risk cost/potential cost trade off decisions should be documented for supervisory assessment

Cyber Security and Resilience Framework

• An indicative, but not exhaustive, minimum baseline cyber security and resilience framework to be implemented is provided in Annex 1
• Banks should proactively initiate the process of setting up and operationalizing a Security Operations Centre (SOC) to monitor and manage cyber risks in real time
• An indicative configuration of the SOC is given in Annex 2.

Network and Database Security

• There is a need to thoroughly review network security in every bank
• Connections to networks/databases allowed for business needs must be closed when no longer needed to avoid cyber-attacks
• Unauthorized access to networks and databases is not allowed
• Responsibility over networks and databases should rest with bank officials.

Customer Information Protection

• Banks depend on technology and collect personal information
• Banks, as data owners, should preserve the Confidentiality, Integrity, and Availability of data regardless of location
• Confidentiality should not be compromised, systems and processes should be implemented across the data lifecycle.

Cyber Crisis Management Plan

• A CCMP should be evolved and part of the Board strategy, traditional BCP/DR strategies may not be adequate
• As of Current date, CERT-In takes initiatives to strengthen cyber-security, such as proactive and reactive services as well as threat intelligence
• CERT-IN has released the National Cyber Crisis Management Plan and Cyber Security Assessment Framework
• CERT-In/NCIIPC/RBI/IDRBT guidance for CCMP formulation

CCMP Aspects

• Detection
• Response
• Recovery
• Containment
• Banks should prevent cyber-attacks, detect intrusions promptly, and recover/contain fallout
• Banks should be prepared for ‘zero-day' attacks, remote access threats, and targeted attacks
• Banks should take steps in addressing cyber threats including:
  • Denial of service
  • Distributed denial of services (DDoS)
  • Ransom-ware/crypto ware
  • Destructive malware
  • Business email frauds (spam, phishing, spear phishing, whaling, vishing)
  • Drive-by downloads
  • Browser gateway fraud
  • Ghost administrator exploits
  • Identity frauds
  • Memory update frauds
  • Password related frauds

Cyber Security Preparedness Indicators

• Adequacy of cyber resilience framework should be assessed using indicators for risk/preparedness
• Indicators for testing via compliance checks/audits by professionals
• Stakeholder awareness may be part of assessment

Sharing Information with RBI

• Banks are reluctant to share cyber incidents
• Globally sharing cyber-incidents and best practices, would facilitate timely measures
• Banks need to report all unusual cyber-security incidents to the Reserve Bank
• Banks should participate in CISOs' Forum per IDRBT and report incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT
• Collaborative efforts share threat intelligence, alerts, and proactive cyber security.

Supervisory Reporting

• Summary and detailed information on information security incidents, including cyber-incidents are collected
• Banks must promptly report incidents in Annex-3 format

Preparedness Assessment

• Material control gaps may be identified and remediated with IT Sub Committee and Board oversight
• Identified gaps, measures, milestones, timelines, and measurement criteria should be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office by July 31, 2016, by the Chief Information Security Officer.

Organizational Arrangements

• Banks should ensure security concerns are appreciated, addressed, and escalated for quick action

Cyber Security Awareness

• Managing cyber risk requires commitment
• High levels of staff awareness at all levels and Board familiarity needs to occur
• Banks should promote understanding of cyber resilience among stakeholders and implementation/testing

Stakeholders and Awareness

• Stakeholders' (customers, employees, partners, and vendors) awareness of cyber-attacks helps security preparedness
• Banks should enhance awareness
• The Board of Directors and Top Management should be up to speed in cyber-security, and banks should take immediate steps.

Board of Directors

• Place a copy of this circular may be placed before the Board of Directors in its ensuing meeting

Annex 1 - Baseline Cyber Security and Resilience Requirements

• Requirements to be put in place by banks to achieve baseline cyber-security/resilience
• May be evaluated periodically to integrate risks
• Important security controls for effective cyber security as may be articulated by CERT-In also may be referred

IT Sub-Committee and Board

• Reviewed for growing technology adoption and threats
• Board involvement and guidance would set the tone

Cyber Security Operations Centre

• Having the capacity to monitor various logs/incidents in real time/near real time
• Keep vigil and to constantly remain alert

Security and Configuration

• While hardware devices and software applications may provide security, it is important to configure them appropriately
• Human resources are the key
• Ensure that they are provided with appropriate training
• Communicate the security policy of the bank periodically

Inventory Management of Business IT Assets

• Maintain an up-to-date inventory of Assets, including business data/information including customer data/information, business applications, supporting IT infrastructure and facilities hardware/software/network devices, key personnel, etc
• Indicate their business criticality
• The banks may have their own framework/criteria for identifying critical assets

Classifying Data Informatiom

• Classify data/information based on information classification/sensitivity criteria of the bank

Protection

• Appropriately manage and provide protection within and outside organisation borders/network taking into consideration how the data/information are stored, transmitted, processed, accessed and put to use within/outside the bank’s network, and level of risk they are exposed to depending on the sensitivity of the data/information

Preventing Execution of Unauthorized Software

• Maintain an up-to-date and preferably centralised inventory of authorized/unauthorized software(s)
• Consider implementing whitelisting
• Have mechanism to centrally/otherwise control installation of software applications on end-user PCs, laptops, workstations, servers, mobile devices, etc
• Block/prevent and identify installation and running of unauthorized software/applications on such devices/systems

Patch Release

• Continuously monitor the release of patches by various vendors/OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank
• Patches released by OEM/manufacturer/vendor for protection against well Known/well publicized/reported attacks exploiting the vulnerability patched expedited emergency patch

Framework

• Have a clearly defined framework including requirements justifying the exception(s), duration of exception(s), process of granting exceptions, and authority for approving, authority for review of exceptions granted on a periodic basis by officer(s) preferred

Environmental Controls

• Put in place appropriate environmental controls for securing location of critical assets providing protection from natural and man-made threats
• Put in place mechanisms for monitoring of breaches/compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts, access logs, etc
• Appropriate physical security measures shall be taken to protect the critical assets of the bank

Network Management and Security

• Prepare and maintain an up-to-date network architecture diagram at the organisation level including wired/wireless networks
• Maintain an up-to-date/centralized inventory of authorized devices connected to bank’s network and devices enabling the bank’s network
• The bank may consider implementing solutions to automate network discovery and management

Network Device Configuration

• Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security
• Put in appropriate controls to secure wireless local area networks, wireless access points, wireless client access systems
• Have mechanisms to identify authorized hardware/mobile devices, ensure connectivity only when they meet the security requirements prescribed by the bank
• Have mechanism to automatically identify unauthorized device connections to the bank’s network and block such connections
• Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices, and endpoints
• Establish SOP for all major IT activities including for connecting devices to the network
• Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities
• Boundary defenses should be multi-layered with properly configured firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS
• Mechanism to filter both inbound and outbound traffic to be put in place

Secure Configuration

• Document and apply baseline security requirements/configurations to all categories of devices, throughout the lifecycle and carry out reviews periodically
• Periodically evaluate critical device configurations and patch levels for all systems in the bank’s network

Application Security Life Cycle

• Incorporate/Ensure information security across all stages of application life cycle
• In respect of critical business applications, banks may consider conducting source code audits by professionally competent personnel/service providers or have assurance from application providers/OEMs that the application is free from embedded malicious/fraudulent code
• Secure coding practices may also be implemented for internally/collaboratively developed applications
• Besides business functionalities, security requirements relating to system access control, authentication, transaction authorization, data integrity, system activity logging, audit trail, session management, security event tracking and exception handling are required to be clearly specified at the initial and ongoing stages of system development/acquisition/implementation
• Development test and production environments need to be properly segregated
• Software/Application development approach should be based on threat modelling, incorporate secure coding principles and security testing based on global standards and secure rollout
• Software/application development practices addresses the vulnerabilities based on best practices baselines such as Open Web Application Security Project (OWASP) proactively and adopt principle of defence-in-depth to provide layered security mechanism
• Consider implementing measures such as installing a "containerized" apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications
• Measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered

Adoption of New Technologies

• Ensure that adoption of new technologies shall be adequately evaluated for existing/evolving security threats and IT/security team of the bank reach reasonable level of comfort and maturity with such technologies before introducing for critical systems of the bank

Patch/Vulnerability & Change Management

• Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure
• Systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware

Change Management

• Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes
• Configuration baseline that ensure integrity of any changes thereto
• Periodically conduct VA/PT of internet facing web/mobile applications, servers & network components throughout their lifecycle and testing of web/mobile applications throughout their lifecycle environment
• As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities
• Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between different VLANs in the Data Centre and partner networks are securely configured

User Access Control / Management

• Provide secure access to the bank’s assets/services from within/outside bank’s network by protecting data/information at rest and in-transit
• Carefully protect customer access credentials such as logon user-id, authentication information and tokens, access profiles, etc. against leakage/attacks
• Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process
• Implement centralized authentication and authorization system including enforcement of strong password policy
• Implement appropriate systems and controls to allow, manage, log and monitor privileged Access
• Implement controls to minimize invalid logon counts, deactivate dormant accounts
• Monitor any abnormal change in pattern of logon
• Implement measures to control installation of software on PCs/laptops etc
• Implement controls for remote management/wiping/locking of mobile devices including laptops etc
• Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems

Authentication Framework for Customers

• Implement authentication framework/mechanism to provide positive identify verification of bank to customers
• Customer identity information should be kept secure
• Banks should act as the identity provider for identification and authentication of customers for access to partner systems using secure authentication technologies

Secure Mail and Messaging Systems

• Implement secure mail and messaging systems that include measures to prevent email spoofing
• Document and implement email server specific controls

Vendor Risk Managment

• Banks shall be accountable for ensuring appropriate management and assurance on security risks in outsourced and partner arrangements
• Banks shall carefully evaluate the need for outsourcing critical processes and selection of vendor/partner based on comprehensive risk assessment
• Conduct effective due diligence, oversight and management of third party vendors/service providers & partners
• Establish appropriate framework, review, control and monitor the risks and materiality of all its vendors
• Banks shall ensure and demonstrate that the service provider adheres to all regulatory and legal requirements of the country
• Banks may necessarily enter into agreement that provides for right of audit

Access to Information

• RBI shall have access to all information resources consumed by banks and shall physically accessible
• Banks have to adhere to legal and regulatory requirements relating to geographical location of infrastructure and movement of data
• Banks shall thoroughly satisfy about the credentials of vendor/third-party personnel accessing and managing the bank’s critical assets and should have agreements in place

Removable Media

• Define and implement policy for restriction and secure use of removable media
• Limit media types and information that could be transferred
• Removable media is scanned for malware/antivirus prior
• Consider implementing centralized policies
• As default rule, use of removable devices and media should not be permitted

Threat Defence and Management

• Build a robust defence against malicious code
• Implement Anti-malware, antivirus protection
• Consider implementing whitelisting

Web Gateways

• Consider implementing secure web gateways
• Subscribe to anti-phishing anti-rouge services
• Develop a data loss leakage prevention strategy to safeguard sensitive data
• Data secured to other digital devices and protected at facilities

Audit Logs

• Stakeholders consulted with log data
• Managed analysis performed to detect potential risks and capture logs relating to user actions

Audit Settings

• Apply and validate settings
• Vulnerability for internet
• Periodically conduct risk assessment
• Remediate immediately

Penatration Testing

• Periodically conduct vulnerability assessment and penetration testing exercises for all the critical systems, particularly those facing the internet.
• The vulnerabilities detected are to be remedied promptly in terms of the bank’s risk management/treatment framework so as to avoid exploitation of such vulnerabilities.

System Testing and Monitoring

• Penetration testing of public facing stems
• Monitored during the information security process
• Implemented by red teams to assess vulnerabilities
• System performance evaluated by cyber drills

Incident Response

• Developed proper response program
• Proper communication
• Established response program

Recovery

• Established BCP-DR capabilities
• Establish appropriate recovery
• Established protection
• Establish training and contact procedures

Building Blocks for Cyber SoC

• Building blocks for operations include
• Incident detection methods
• Methods for implementation
• Information about operations including the implementation and data extraction strategies

Risk Based Transactions

• Risk based transitions occur during
• Fraud monitoring during transactions
• Customer identification
• Monitor performance metrics

Forensic Support

• Built through analysis to help determine incident
• Cyber drills to assist in evaluation
• Train employees and management
• User education and awareness for identifying risks and reporting to IT

Annex 2 - Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

• Banking security and operational guidelines has been determined by the RBI to keep up with evolving technology to customers
• Its important to look at current and developing IT applications in banking and current guidelines
• IT security, technology, operations and legal must be considered

Government

• Top level managers that address threats
• Policy enforcement and participation

Cyber SoC

• Traditional prevention is not effective due to change
• Active monitoring and management required

Security

• Systems must be current
• Monitor and deploy and correlate tools to find anomalies

Implementation and Analysis

• Identify attacks and classify them to come up with containment
• Conduct accident investigation that uses deep packet analysis to understand how to respond
• Analyse with dynamic behaviors to look for indicators
• Analytics with good geography information
• Set up counter and honeypots

Responsibilities

• Set up systems and data that are effective and quick
• Provide access for security and laws
• Prevent risk
• Be aware of threats

Annex 3 - Template for reporting Cyber Incidents

• Security Incident Reporting (SIR) to RBI must occur within two to 6 hours
• Subsequent updates must be submitted if the earlier reporting was incomplete
• Required: banking status and time of the incident, contact data and information about the attacks
• Chronological list of what happened with what was seen in the system
• Steps must be given to help address or see the possible attack. Include data and information on security measures
• Complete list available in banking
• All fields required or as stated

Information and Contact Data

• Must be given for each field listed that could potentially involve a cyber attack
• The information allows the cyber team to evaluate the potential vulnerabilities of what could potentially be compromised.
• The data is relevant to help detect the risk patterns, identify threats or respond.

Type of Vulnerabilities

• A rating based on data loss
• Security breach
• Potential downtime
• A series of forms used to determine the type and quality of incident/issue in the system

System Evaluation and Monitoring

• Include testing and evaluating of systems
• Use current methods
• Must identify an IP and port from the attack
• Use log analysis to isolate cause
• Provide potential next steps