RBI/2013-14/216
DIT.CO (Policy) No.674/09.63.025/2013-14

August 30, 2013

The Chairman/Chief Executive Officers
All Scheduled Commercial Banks
(excluding RRBs)

Dear Sir/Madam

Sharing of Information Technology Resources by Banks - Guidelines

Please refer to paragraph 101 of the Monetary Policy Statement 2013-14 wherein the need for banks to examine the issue of shared IT resources to optimise costs while maintaining the desired levels of efficiency and security has been emphasised.

2. One of the pre-requisites for a bank to consume shared IT resources is the existence of a strong IT and IS Governance in the bank. It is imperative that decisions on IT resource sharing have necessary approvals of the management possibly at the board level depending on the criticality of the infrastructure or application to be shared. The applications that can be considered for sharing IT resources are those related to collaboration, housekeeping, office automation and business applications.

3. As a consumer, banks may ensure that the service provider (including another bank) adheres to all regulatory and legal requirements of the country. Banks may necessarily enter into agreement with the service provider that the infrastructure and applications are made available for audit / inspection by the regulators of the country. Reserve Bank of India should have access to all information resources that are consumed by banks, though the resources are not physically located in the premises of banks. Further, banks have to adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.

4. While consuming services provided by other banks or service providers, it may be ensured that all aspects relating to privacy, confidentiality, security and business continuity are fully met.

5. A document which may serve as guidance in this regard is enclosed.

6. Please acknowledge receipt of the letter.

Yours faithfully

(A S Ramasastri)
CGM-in-C

Encl: as stated

Sharing of Information Technology Resources by Banks - Steps

1. Identify the asset(s) to be included:

1. Data
2. Applications/Functions/Process

2. Evaluate the asset on the following factors-

1. Determine how important the data or function is to the bank
2. Analyse the impact of the scenarios
1. The asset becoming widely public & widely distributed
2. An employee of the service provider accessing the asset
3. The process or function being manipulated by an outsider
4. The process or function failing to provide expected results
5. The info/data being unexpectedly changed
6. The asset being unavailable for a period of time

3. Choose the external organisation carefully:

1. A bank
2. An IT Company
3. Any other organization

4. Map Data Flow

1. Map the data flow between bank, service provider, customers, other nodes
2. Essential to understand whether and data can move in/out of the shared infrastructure provided by others
3. Sketch it for each of the models
4. Know risk tolerance

5. Assess requirements

1. Infrastructure
2. Applications

6. Analyse the Security Concerns

1. Issues in applications - Service levels, security, governance, compliance, liability expectations of the service  & provider are contractually defined
2. Issues in infrastructure - service provider handling Infrastructure security

7. Prepare a service contract addressing the following domains:

1. Architectural Framework
2. Governance, Enterprise Risk Management
3. Legal, e-Discovery
4. Compliance & Audit
5. Information Lifecycle Management
6. Portability & Interoperability
7. Security, Business Continuity, Disaster Recovery
8. Data Center Operations
9. Incident Response Issues
10. Application Security
11. Encryption & Key Management
12. Identity & Access Management
13. Virtualization

8. Understand the issues in security pitfalls

1. Geographical location of Infrastructure
2. Scope network security issues
3. Control Mechanism

9. Comprehend the overall security concerns

a. Handing over operational control to service provider while maintaining accountability

10. General Governance issues

1. Identify, implement process, controls to maintain effective governance, risk management, compliance
2. Provider security governance should be assessed for sufficiency, maturity, consistency with user ITSEC proces

11. 3rd Party Governance issues

1. Request for clear documentation on how facility & services are assessed
2. Requirement of definition of what provider considers critical services, information
3. Perform full contract, terms of use due diligence to determine roles, accountability

12. Analyse legal issues

1. Functional: functions & services which have legal implications for both parties
2. Jurisdictional: which governments administer laws and regulations impacting services, stakeholders, data assets
3. Contractual: terms & conditions
4. Clarity on provider and consumer's roles
5. Litigation hold
6. e-Discovery searches
7. Expert testimony
8. Provider must save primary and secondary (logs) data
9. location of storage data  
10. Plan for unexpected contract termination and orderly return or secure disposal of assets
11. ensuring to retaining ownership of data in its original form

13. Examine compliance & audit function

1. Right to Audit clause
2. Analyze compliance scope
3. Regulatory impact on data security
4. Evidence requirements are met
5. Appropriate certification such as SAS 70 Type II, ISO 27001/2 audit statements

14. Study Information Lifecycle Management especially in the context of

1. Data security
2. Data Location
3. All copies, backups stored only at location allowed by contract, SLA and/or regulation

15. Analyse portability and interoperability

1. Factors necessitating switching service providers
2. Negotiate Contract price increase
3. Factor in service provider bankruptcy and service shutdown
4. Decrease in service quality
5. Business dispute

16. Understand security, business continuity, disaster recovery related issues

1. Centralization of data means greater insider threat from within the provider
2. Requirement of onsite inspections of provider facilities
3. Disaster recovery, Business continuity, of service provider etc.

17. Formulate appropriate Incident Response systems

1. Applications may not always be designed with data integrity, security in mind
2. Necessity to store keep application, firewall, IDS etc. logs
3. Management of snapshots of virtual environment

18. Plan application security

1. Different trust boundaries for various types of shared resources
2. Ensure web application security
3. Secure inter-host communication channel

19. Devise encryption, key management procedures

1. Encrypt data in transit, at rest, backup media
2. Secure key store
3. Protect encryption keys
4. Ensure encryption is based on industry/government standards
5. Limit access to key stores
6. Key backup & recoverability
7. Test these procedures

20. Manage ID, access control

1. Determine how service provider handles provisioning, de-provisioning
2. Authentication
3. Federation
4. Authorization
5. User profile management

21. Plan virtualization

1. Type of virtualization
2. 3rd party security technology augmenting virtual OS controls that protect admin interfaces