IT Governance and Risk Management
In the ever-evolving spheres of finance and data protection in India the Reserve Bank of India's (βRBIβ) Master Direction β Information Technology Governance, Risk, Controls, and Assurance Practices dated November 7, 2023β has set the stage for transformative changes. This article navigates through the regulatory landscape to showcase how our Generic Onboarding Platform (βGOβ) aligns with guidelines laid out under the RBI.
The RBI has rolled out the Master Direction β Information Technology Governance, Risk, Controls and Assurance Practices to incorporate, consolidate, and update the guidelines, instructions, and circulars on IT Governance, Risk, Controls, Assurance Practices, and Business Continuity/ Disaster Recovery Management.Β
As the RBI directive takes center stage, our analysis delves into the critical elements of IT governance, risk management, and controls outlined by the central bank i.e. RBI. From the strategic role of boards to the meticulous oversight mechanisms required for mitigating IT and cyber risks, we unveil how our Generic Onboarding Platform seamlessly integrates compliance measures into the fabric of financial technology.
Signzyβs No Code Platform takes pride in its steadfast commitment to regulatory compliance, aligning seamlessly with the stipulations outlined in the RBIβs Direction.
Our product has been meticulously designed and developed to adhere to the comprehensive guidelines in these regulatory frameworks, ensuring that organizations can confidently navigate the complex landscape of information technology governance, risk management, and controls. At Signzy, we understand the critical importance of maintaining the highest standards of security, privacy, and transparency, and our commitment to regulatory alignment reflects our dedication to providing a robust onboarding solution that not only meets but exceeds industry standards.
Below are details of the features of the No Code Platform, which help in compliance with requisite provisions of RBIβs Master Direction.
ο»ΏEvery IT application that can access or affect critical/ sensitive information has to have audit trails/ logging capabilityο»Ώ
- Every application in GO has an audit trailο»Ώ that can be viewed by the REs in the Back Office Portal.
ο»ΏThe audit trails have to satisfy a REβs business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of the audit, serve as forensic evidence when required, and assist in dispute resolution, including for non-repudiation purposes.ο»Ώ
- The audit trail that can be viewed in the Back office of Signzyβs GO platforms, is detailed and comprehensive.Β
- It shows all the changes made to the end-user application with minute details, such as the page and the field to which the change was made.Β
- It reflects the old value and the new value added. Further, the GO platform also shows the details of the agent/employee who has made the updates along with the date and time.Β
ο»ΏPersonnel with elevated system access entitlements have to be closely supervised with all their systems activities logged and periodically reviewed. REs have to adopt multi-factor authentication for privileged users.ο»Ώ
- All the GO users are closely supervised. A hierarchy is followed and all the users are assigned different levels.Β
- Each user is supervised by the user above their level and their activities are periodically reviewed.Β
- The RE agent can conduct their day-to-day business with the help of the web and app-based RM portal. They have multi-factor authentication enabled in their respective accounts and can also securely log in through their unique biometrics.
ο»ΏVA/ PT shall be conducted by appropriately trained and independent information security experts/ auditors.ο»Ώ
- GO has periodic VA/PT assessments done by 3rd party CERT-In certified vendors.
ο»ΏIn the post-implementation (of IT project/ system upgrade, etc.) scenario, the VA/ PT shall be performed in the production environment. Under unavoidable circumstances, if the PT is conducted in the test environment, REs shall ensure that the version and configuration of the test environment resembles the production environment. Any deviation should be documented and approved by the ISC.ο»Ώ
- The certified experts send the reports of their assessment periodically, work on their findings, and implement the necessary changes.Β
- VAPT is performed in the production environment to ensure the credibility of the results.
Our journey continues to ensure compliance with the standards of these latest guidelines and regulatory requirements. With a detailed examination of the RBI's Direction, we strive to become more capable by improving on where we are lacking and working continuously to meet that goal. Our platform, GO is not just an enabler of regulatory adherence but a proactive contributor to the evolving standards in financial technology.
Getting help
Please feel free to contact us if you have any questions, require clarification, or have ideas for how to make the documents or any of our services better.
You can reach out to us at [email protected].
ο»Ώ