RBI releases draft guidelines for IT governance rules

The draft master direction issued by Reserve Bank of India (RBI) on information technology (IT) governance, risk, controls and assurance practices talks about specifying role, including authority and responsibilities of the board of directors, board level committee and senior management in regulated entities (REs).

RBI says, “The framework must include adequate oversight mechanisms to ensure accountability and mitigation of business risks. The key focus areas of IT governance shall include strategic alignment, value delivery, risk management, resource management, performance management and business continuity or disaster recovery management.”

Asking the REs to set up a board-level IT strategy committee (ITSC) with a minimum of two directors as members, RBI says at least one member should have substantial expertise in managing or guiding technology initiatives.

According to the draft master direction, the chief executive officer (CEO) of the RE will have the overall responsibility and institute an effective oversight on the plan and execution of IT strategy. “REs shall establish an ITSC with representation at senior management level from IT and business functions for assisting the board and ITSC in the implementation of the IT policy and IT strategy. The ITSC shall meet at least on a quarterly basis.”

RBI also wants every IT application, which can access or affect critical or sensitive information, to have audit trails. It says, “The audit trails must be detailed enough to facilitate the conduct of the audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes. Audit trails shall be secured to ensure the integrity of the information captured and preservation of evidence.”

The central bank has asked for comments or feedback from REs and other stakeholders by 20 November 2022. MoneyLife