Understanding and complying with RBI’s Cyber security guidelines for Email systems

C
Principal solution architect
& co-founder
Mithi Software
Author
Understanding and complying
with RBI’s Cyber security
guidelines for Email systems
Manu Sharma
Chief Manager I.T. (Network and
System Admin)
Capital Small Finance Bank ltd.
Sunil Uttam
Contributor
JULY 09 2019
12:00PM - 01:00PM IST

Copyright © 2019 Mithi Software Technologies Pvt Ltd. All rights reserved.
The context

Modernization is unavoidable for banks to stay competitive.
Modernization means extensive digitalization
Digitalization without adequate security, means direct exposure
and increased incidents of cyber attacks.

In August 2018, a Small Bank was faced
with a cyber attack, resulting in nearly Rs
100 crore being siphoned off.
- Economic Times

During 2008-17, banks in India faced
1,30,000 reported cases of cyber fraud
involving an estimated Rs 700 crore.
- Economic Times

The financial services industry topped the
list of 26 different industries that cyber
criminals most targeted.
- Deloitte

While Frauds are high frequency and low
impact
Cyber attacks/breaches can cripple a
bank or a financial services institute
e.g. the money siphoned off from the small
Bank, in August 2018, is 14 times the bank’s
FY18 profit.

POLL
In your organisation, which one of these is the biggest
threat to cyber security?
• DDOS
• Insider threats (human)
• Ransomware
• Out of date OS, software
and security patches
• Technology complexity

Thus, Indian banks do not have
much choice concerning a major
revamp of cyber security.

Big Brother takes notice

Inventory Management
of Business IT Assets
Preventing execution of
unauthorized software
Environmental Controls
Network Management
and Security
Secure Configuration
Application Security Life
Cycle (ASLC)
Patch/Vulnerability &
Change Management
User Access Control /
Management
Authentication
Framework for
Customers
Secure mail and
messaging systems
Vendor Risk
Management
Removable Media
Advanced Real-time
Threat Defense and
Management
Anti-Phishing
Data Leak prevention
strategy
Maintenance,
Monitoring, and Analysis
of Audit Logs
Audit Log settings
Vulnerability assessment
and Penetration Test and
Red Team Exercises
Incident Response &
Management
Risk based transaction
monitoring
Metrics Forensics
User / Employee/
Management Awareness
Customer Education and
Awareness
RBI's Cyber security framework in detail
CSR - Annex 1
Baseline Cyber Security and Resilience Requirements

C-SOC Functional Requirements Governance Requirements Integration Requirements
People Requirements Process Requirements Technology Requirements
C-SOC - Annex 2
Cyber Security Operation Centre (C-SOC)

Template for reporting Cyber Incidents Cyber Security Incident Reporting (CSIR) Form
CSIR – Annex 3
Cyber Security Incident Reporting (CSIR)

Secure Be Vigilant Report and correct to remain Resilient.
Continuous improvement

POLL
In your organisation, which one of these 3 is your priority?
• Security measures
• Vigilance – Security Operations centre
• Resilience – Ability to bounce back and improve the security
measures

The Scope

Inventory Management
of Business IT Assets
Preventing execution of
unauthorized software
Environmental Controls
Network Management
and Security
Secure Configuration
Application Security Life
Cycle (ASLC)
Patch/Vulnerability &
Change Management
User Access Control /
Management
Authentication
Framework for
Customers
Secure mail and
messaging systems
Vendor Risk
Management
Removable Media
Advanced Real-time
Threat Defense and
Management
Anti-Phishing
Data Leak prevention
strategy
Maintenance,
Monitoring, and Analysis
of Audit Logs
Audit Log settings
Vulnerability assessment
and Penetration Test and
Red Team Exercises
Incident Response &
Management
Risk based transaction
monitoring
Metrics Forensics
User / Employee/
Management Awareness
Customer Education and
Awareness
Our focus is on Secure Mail and Messaging
Baseline Cyber Security and Resilience Requirements

The Approach

Map relevant guidelines to Solution layers
LAYERS ELEMENTS CSR C-SOC CSIR
SOLUTION LAYERS
User Education
and awareness
Best practices, security
awareness, etc
A1.23 - Education on phising, risks
& human element
Vigilance via dashboards,
monitoring, escalations.
Protect, Detect, respond,
recover.
Forensic analysis and
improvements
Report all incidents to
RBI to improve
accountability
Network Data Flow and user Access
A1.8.1 - Encrypt in transit
A1.13.2 - End point security
Periphery Malware, spam, virus detection
A1.10.1, A1.13.2, A1.14.1 - Spam,
Virus, Phising, malware
protection, Email security
gateway, Anti phishing
Application Mobility, Web, Desktop access
A1.10.2, A1.8.10 - Mail policies,
DDOS, etc
A1.10.1 - Spoof, email
authenticity, sandbox
A1.7.4, A1.18 - Periodic VAPTs
Services
Mail, Directory, Calendar,
administration, etc
A1.8.1 - Access control from
trusted zones
A1.8.4 - Role based IAM
Data
User information, Mail data,
Audit trails
A1.8.1 - Encrypt at rest
A1.6.4, A1.17.1, A1.16.1 - Audit
trails, Capturing Audit logs
Infra
mail, relay, directory, front end
servers, storage, OS
Data Residency
A1.5.1 - OS hardening
A1.7.2 - Patch Management
SECURITY VIGILANCE RESILIENCE

Demystification

A1.23 - Education on phishing, risks & human
element
Sensitize users to how the human element
is the weak link in cyber security.
From being alert to phishing mail to keeping
passwords secure to reporting incidents, this weak
link has to be strengthened

A1.8.1 - Encrypt in transit
Prevent sniffing
Use TLS to ensure every communication between
the client to server and server to server is
happening on an encrypted channel.

A1.13.2 - End point security
Build sanity into the end point jungle.
Keeping end points clean is good hygiene and
goes a long way to stop malware infections from
the user devices.

A1.10.1, A1.13.2, A1.14.1 - Spam, Virus, Phishing, malware
protection, Email security gateway, Anti phishing
A robust, active email gateway, especially one with guarantees
on virus, spam and malware protection can disallow infected
content to pass through and prevent a lot of security incidents.
“Financial services remains the industry most susceptible to malicious email
traffickers, as consumers are seven times more likely to be the victim of an
attack originating from a spoofed email with a bank brand versus one from
any other industry.”
- Deloitte

A1.10.2, A1.8.10 - Mail policies, DDOS, etc
Prevention is better than cure form the basis
for these guidelines.
These guidelines are about adopting best practice
secure configurations to secure the applications
from hack attempts, DOS attacks, misuse, overuse,
attachment type controls, etc.

A1.10.1 - Spoof, email authenticity, sandbox
Authenticate all email communication.
Ensure the person authenticating is the person
sending the email, ensure the email is marked as
authentically originating from the bank, ensure mail
does not receive, nor sends malicious content, etc.

A1.7.4, A1.18 - Periodic VAPTs
Stay vigilant
Perform periodic third party audits by CERT IN
empanelled vendors, with timely mitigation of
risks, and reporting to the board/senior team
members.
Audits to be done throughout the lifecycle of
the internet facing applications/devices (pre-
implementation, post implementation, after
changes etc.)

A1.8.4, A1.8.1 - Role based IAM
Differentiate exposure, gain control
Allow levels of access to users based on role and
source of connection.

A1.8.1 - Encrypt at rest
Prevents data visibility in the event of its
unauthorized access or theft
Encrypt the data when it is stored on any storage
medium

A1.6.4, A1.17.1, A1.16.1 - Audit trails, Capturing
Audit logs
Keep track of all events
Capturing, storing and being able to retrieve audit logs when required is
an important capability to support forensics

A1.5.1, A1.7.2 - Data Residency, OS hardening,
Patch Management
Secure Infrastructure located in country of
domicile
Operate, manage, and control the IT components
from the host operating system and virtualization
layer down to the physical security of the facilities in
which the services operate. Have all data within the
host country.

The Audit fact sheet

Agencies NCIIPC, CERT IN, RBI CSITE
Types Internal, External, On Site
Frequency Annual
Scope PCIDSS, ISO, IT systems, Data, Physical inspection
Duration 10-15 days each
NCIIPC (National Critical Information Infrastructure protection centre)
CERT IN (Indian Computer Emergency Response Team)
CSITE RBI (Cyber security and IT examination cell of RBI)

External
Audit done by
a CERT IN
empaneled
vendor
Informs
RBI of
audit
Presents
to board
Bank forms
mitigation
plan with
target dates
Gives
report to
bank
Works to
close
audit
points
External Audit Process

CSite
Follows
process
depending on
bank's
category
Collect
evidence
Follow
checklist &
guidelines to
review each
and every
aspect
Starts with
external
audit
report
submit
correction
report to
Bank
Bank
fixes
issues
On Site Audit Process

The Disparity and the way forward

Levels of cyber resilience vary vastly across sizes
and categories of banks

This is caused mainly due to the difference in
infrastructure, capability, maturity and
investment

System Maturity Matrix for Email
CAPABILITY
High End Open Private Cloud
SaaS
Benefit:
High Performance, Low TCO, High
Flexibility
Risks:
Un-optimal Cost Management and
Capability Integration
Low End Private SaaS
Benefit:
Low Cost, Easy Start
Risks:
Performance & Dependability, Security,
Lack of Data Durability guarantees
Public and Free to use Apps
Benefit:
Low or no cost, easy access, popular
usage
Risks:
Data Security, Data Fragmentation, Lack
of Data Access
RISK
Private in-Premise Set-up
Benefit:
Leveraging existing investment
Risks:
Performance, High TCO, High
Maintenance, Slow Upgrades
High End Proprietary Cloud
based SaaS
Benefit:
High Performance, High Capability
Risks:
Lack of Flexibility, High TCO, Lock-in
concerns
lowhigh
low high

POLL
Which of the these 5 solution categories does your
organisation use for communication and collaboration?
• Low End Private SaaS (software hosted and managed at an
external DC – Exchange, Linux servers, etc)
• Private in-premise setup (software hosted and managed at
your own DC – Exchange, Lotus Notes, Linux, etc)
• Public and Free to use Apps (Gmail, Yahoo, Whatsapp, etc)
• High End proprietary cloud based SaaS (Gsuite, O365)
• A Hybrid (mix of cloud, on-premise, etc)

Hence for most banks, adhering to these
guidelines, is an uphill and never ending task.

Leveraging SaaS and Cloud can level this playing field.

“Banks can benefit from far greater security postures in the
cloud than they can achieve in traditional datacenters.”
“The ultimate benefit of the cloud is that banks can spend
less time on undifferentiated tasks and more time focusing
on the core competencies that add value to their
organisations.”
IDRBT FAQs on Cloud Adoption for Indian Banks, September 2017

“Cloud accreditation certifications and evaluations provide
banks with assurance that cloud providers have effective
physical and logical security controls in place. When banks
leverage these reports, they avoid subjecting themselves to
overly burdensome processes or approval workflows that
may not be required for a cloud environment. ”
Institute for Development and Research in Banking Technology
(IDRBT) FAQs on Cloud Adoption for Indian Banks, September 2017

“With readily deployable and scalable infrastructure, business
continuity is always built into the business model. Banks can
initiate business continuity plan of IT infrastructure with
minimal effort and do not have to invest upfront.”
IDRBT FAQs on Cloud Adoption for Indian Banks, September 2017

Why cloud platforms make it easy to adhere to RBI's
cyber security guidelines?

From DOING to CONFIRMING
By deploying fully managed, guaranteed cloud
platforms, you are delegating a bulk of the cyber
security adherence responsibility to the vendor.
Then the cyber security guidelines can be an effective
checklist to confirm compliance.

Why our solution are a good fit for Banks
Data Residency
A choice of region for storing your data, ensuring
compliance with data residency regulations of
governments.
Business Continuity
By having all email & data stored on a highly
elastic, available, durable cloud platform instances
of outages are reduced to near zero. And quick
recovery from any glitches.
Privacy Guaranteed
Designed to ensure customer data privacy in the
multitenant SaaS setup. For highly sensitive
customers. Can also be offered as a dedicated
private setup on the cloud for large installations.
Reduced IT Costs
Fully managed SaaS, which implies Zero
hardware at your end, Zero management and
Zero maintenance.
Multi-layered Security
Tight security at multiple layers of the stack to ensure
that sensitive data stored on our platform is encrypted,
immutable and tamper proof.
No Vendor Lockin
Built on the premise that the ownership of data is that of
the customer.
Processes and tools are specially designed to prevent
vendor lock in, are in place to allow extraction of data
on demand.

Your peers across BFSI, PSU and Government
sectors have chosen our cloud solutions for
their Security, Reliability and Data Residency

Collaboration Solutions for an Interdependent World

UNLIMITED Q & A
Alright, Lets talk until you run out of
questions...SHOOT !

Understanding and complying with RBI’s Cyber security guidelines for Email systems

More Related Content

What's hot (20)

Similar to Understanding and complying with RBI’s Cyber security guidelines for Email systems (20)

More from Vaultastic (20)

Recently uploaded (20)

Understanding and complying with RBI’s Cyber security guidelines for Email systems