RBI Guidelines: Tips for Compliance

The Reserve Bank of India's new information security guidelines are expansive, and as a result can actually help improve the overall maturity for Indian financial institutions, says Vishal Salvi of HDFC Bank.

"It's not just focusing on information security, but also the other elements which are requirements for information security to be implemented," says Salvi, CISO of HDFC Bank. Those elements include IT governance, infosec audits, customer communication, fraud management and legal aspects.

These new guidelines are going to help underline the CISO's role across the entire ecosystem of the banking industry, Salvi says. "Large banks have already been seeing the CISO role playing a leadership role in the organization, to broaden the spectrum, looking at it from an enterprise point-of-view," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].

These new guidelines are going to help underline the CISO's role across the entire ecosystem of the banking industry, Salvi says. "Large banks have already been seeing the CISO role playing a leadership role in the organization, to broaden the spectrum, looking at it from an enterprise point-of-view," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].

And there is no better time than now for these guidelines and the benefits they provide. Phishing attacks, Trojans and website defacement are some of the challenges infosec professionals are currently facing in the banking sector. Data leakage, malware and application attacks are also cause for concern. In mitigating these risks and complying with the new guidelines, banks should perform a gap analysis, identifying areas they need to focus on and developing a roadmap for how they'll remediate the issues.

  • The RBI's key focus areas and compliance deadline for implementing these guidelines.
  • How the RBI rules will change the way banks handle information security;
  • Advice to CISO's in implementing these guidelines effectively.

Salvi is the Chief Information Security Officer & Senior Vice President at HDFC Bank, a $52 billion private banking institution. Prior to joining HDFC Bank, he worked in Standard Chartered Bank for 11 years and held a variety of roles in IT service delivery, governance and risk management, and information security. He has 19 years of industry experience and had previously worked in companies like Crompton Greaves, Development Credit Bank, and Global Trust Bank. He holds a Bachelors of Engineering in Computers, Masters in Business Administration - Finance from NMIMS, and Certified Information Security Manager (CISM).

  • RBI recently released some detailed guidelines in information security for the banking industry. What do you see as the significance of these guidelines for your sector?

    there are a lot of breaking changes that have been brought about by these guidelines which were issued in April 2011, and some of those issues which I would like to highlight here, specifically focusing on these guidelines, are covering all requirements of information security, and what I mean by that is it's actually not just focusing on information security but also the other elements which are requirements for information security to be implemented within organizations such as IT governance, information security audits, customer communication, fraud management and also touching up on the legal aspects. A lot of emphasis has also been provided on process and on governance, apart from covering the technical controls. As a result, it's actually expected to improve the overall maturity of how information security is practiced and understood within the banking industry. I would say that it's a very important and significant change that has been introduced by the regulators for the banking industry.

  • the key focus areas of the guidance and what is the compliance deadline for implementing these guidelines?

    the key focus areas are on chapters six, seven and nine that you are talking about, ranging from IT governance to legal aspects. There are obviously expectations in terms of getting the organization changes and the process changes completed in a shorter time. And the timeline for those are the end of October 2011. As far as the expectation for implementation of all the requirements of the guidelines are concerned, the expectation is to have it completed by the end of February 2012.

  • What do see as being the biggest challenges in meeting these standards for your institution and for others as well?

    All the banks are looking at and performing their own gap analysis, and my guess is that most or all the banks will actually have variation in terms of the level of compliance. The larger banks will actually find themselves more compliant as compared to the smaller ones. There are specific expectations, higher expectations such as building up enterprise-level data storage or the implementation of digital rights management or creating a much more robust end-to-end identity and access management solution, so on and so forth. There are such changes which require a longer time than the one you are provided for implementation. My sense is that organizations would need larger timeframes than those. For some of these controls to be implemented, depending on their level of compliance to them as we stand, the challenges will range from organizations and there are these few points where it would be challenging for them to actually get them implemented within one year.

  • guidelines impacting the role of yourself, a CISO at a bank?

    Large banks have already been seeing the CISO role playing a leadership role in the organization, to broaden the spectrum, looking at it from an enterprise point-of-view trying to change the bank, and engaging business support functions and various other groups. What these guidelines are going to do is actually underline that control across the whole ecosystem of the banking industry. And my sense is that it will actually give more clarity to all the banks in terms of what the CISO's role is all about, why it needs to be placed at a leadership level and why it needs to have the focus and integrated approach towards driving the information security strategy into the organization. That's the change I guess will be brought about by the implementation of these guidelines.

  • the threat landscape for Indian institutions. How ultimately do you see these guidelines impacting that threat landscape?

    If you look at the normal work of an information security team, you will find that most of the time we are working towards improving the hygiene, the infrastructure and the maturity of the organization because you will not always be under attack and you are not always doing the reactive stuff in terms of managing and mitigating incidents. In the ballpark, 90 percent of your time is to do that proactive stuff and ten percent of the time you're dealing with the actual incidents. Given that, these guidelines are obviously going to be focusing on helping us to improve the proactive bit and have more focus on the proactive bit to improve the hygiene of the banking infrastructure, looking at and improving at many folds to ensure that we are able to be with the current, as well as the future, tech landscape. I think it's just preparing ourselves to deal with it better and improving the hygiene by giving a very consistent approach towards the whole banking industry, other than trying to allow only a few banks to actually improve based on those threats.

  • what advice would you offer to other CISOs in your industry in implementing these guidelines and meeting the tight deadlines you face?

    the first step towards that is to perform a very granular gap analysis. Once you've identified the gaps, you start identifying the areas that you need to focus on and make a roadmap in terms of how you want to remediate. It's a great opportunity provided by the regulator to improve the security of the banking ecosystem, and the threats are real as we know. So this will help us to actually plug those gaps. But having said that, one size doesn't fit all. You need to apply a risk assessment approach, looking at which risks are more applicable for your environment and your infrastructure, and close the circle of risk management from the identification assessment to acceptance and implementation. As long as you've done that and as long as you have allowed the focus to be there on the identified gaps, it will be helpful for all of the organizations to actually adopt the approach. My sense is that from now through most of this financial year for the Indian banking industry, the only focus they have for information security leaders will be to actually ensure that you comply with these guidelines.

Site Visitors!


TaxFillingIndia: Legal Information for Indian businesses

Since 2011, ‚ÄčTaxFillingIndia has been a one-stop solution for any business or entrepreneur looking for a lawyer, chartered accountant or company secretary. We have been particularly instrumental in ensuring startups are fully compliant with India's labyrinthine legal system. Over the past five years, the depth of our offerings, connection with reliable professionals, affordable prices and customer satisfaction has made us the largest online facilitator of legal services in India. We have already served over 120,000 customers and have a steadily growing network of over 1000 professionals from all the major cities (particularly the metros of Mumbai, Bangalore, Chennai, Delhi and Kolkata) on our online platform. In 2016, we launched way of working for legal professionals across India.

Starting a Business

Many founders are confused about what kind of entity to register when they start their business. Should it be a private limited company, limited liability partnership, partnership firm, one person company or a sole proprietorship. Each of these has very specific advantages and disadvantages. There is no one type for all businesses. A private limited company registration, for example, would be a good fit for any venture that will look for funding at a later stage. You can contact TaxFillingIndia for all the advice you need. We assure you of great service at a reasonable price. You can find a company name availability here.

Intellectual Property

In modern business, there is no other asset as valuable as intellectual property, and yet so many startups end up neglecting it. But this is surely not advisable, as trademarks, copyrights and patents ensure that you have sole rights to your creation, be it your brand, your designs or your inventions. At TaxFillingIndia, we are well equipped to handle all your IP requirements. We facilitate trademark applications in just three days, copyright registration for all your software, pictures, audio and video content, and can connect you to patent attorneys to conduct a patent search and file your patent applications. You can find a Trademark availability here.

Government Registrations

In India, you need a license for everything in business. Started a manufacturing business? You need a GST Registration and a Trade License. For a food business, you need an FSSAI license. Have employees? You need a Professional Tax registration and Shops & Establishments Act Registration. If that's not enough, you also need to file GST Returns and Professional Tax Returns.

Legal Documentation

The worst way to approach business is to just get into new partnerships and arenas without examining consequences. By getting a lawyer to draft contracts or agreements with new vendors, employees and investors, you're ensuring that you have all the downsides covered. At TaxFillingIndia, we connect you to lawyers who will deliver complex documents, from shareholders' agreements and founders' agreements to terms of service/privacy policy and non-disclosure agreements, at a reasonable cost in a few days' time. Well-known startups, such as Holachef and Big Basket, have chosen to connect with a lawyer through us for their documentation work.

Mandatory Compliance

It's not enough to have started a private limited company or an LLP. You need to comply with all the requirements of the Ministry of Corporate Affairs and Income Tax Act once you do. You need to inform them of every relevant change you make, whether it is adding a director, removing a partner or increasing authorised share capital. You also need to file annual returns and maintain your accounts. In the case of a private limited company, you even need them audited. At TaxFillingIndia, we facilitate all these services completely online. Which means you can engage a professional on retainer for the year and we'll ensure that all the formalities are completed for you while you focus on your business.

By continuing past this page, you agree to our Terms of Service, Cookie Policy, Privacy Policy, Refund Policy and Content Policies.

Please note that we are a facilitating platform enabling access to reliable professionals. We are not a law firm and do not provide legal services ourselves. The information on this website is for the purpose of knowledge only and should not be relied upon as legal advice or opinion.