Qualys Support for Reserve Bank of India (RBI) Cyber Security Guidelines

Reserve Bank of India (RBI), India’s central banking and monetary authority, points out that the number, frequency, and impact of cyber incidents on Indian banks has increased substantially. Like their peers globally, Indian banks are committed to maintaining customer trust, protecting financial assets, and preserving their own brand and reputation as the industry will remain a top target of cybercriminals using increasingly sophisticated methods. Thus, it is urgent that banks continue to improve their cyber defenses.

In a race to adopt technology innovations, the exposure to cyber incidents/attacks has also increased, thereby underlining the urgent need to put in place a robust cyber security and resilience framework. The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS.

With the RBI cyber security guidelines, the banks need to assess their cyber security preparedness immediately and submit the controls gap analysis, remediation timelines per prioritization to the cyber cell of the RBI. Also, a key point to note is the banks need to perform the compliance assessment for the proactive cyber security requirements on a continuous basis.

Qualys release of the Qualys Cloud Platform 8.9.5 includes updates and new Qualys Policy Compliance features that facilitate support of the Reserve Bank of India (RBI) Cyber Security Guidelines.  Recent improvements include capabilities such as Library Content for Security Assessment Questionnaire as well as Mandate-Based reporting with mandate-mappings for technical control reporting in Policy Compliance.

Using the Qualys Cloud Platform, Financial Institutions in India can address and report on a range of technical and procedural requirements using a unified solution.  This article will help you learn more about RBI and how Qualys solutions can assist with compliance with the RBI Cyber Security Guidelines.

Qualys Solutions for RBI Compliance

Qualys enables banking organizations to more easily meet existing and new regulations such as RBI guidelines without the hassle of deploying, managing and integrating point security products from multiple vendors. The Qualys Cloud Platform incorporates a variety of security and compliance applications, all of which are delivered via the cloud, on top of Qualys’ infrastructure and core services.

Open APIs allow organizations to seamlessly integrate into Cyber Security Operations Centers that are mandated by RBI. There is no new software to deploy or infrastructure to maintain. Each application leverages the same scan data collected from sensors or from a single lightweight Cloud Agent (CA), and core services enable integrated workflows, management and real-time analysis and reporting across all Qualys solutions.

Policy Compliance (PC) enables customers to automate security configuration assessments and to quickly determine compliance with RBI technical security requirements, plus provides out-of-the-box reports that customers can run to quickly document their preparedness against RBI Guidelines.  Qualys provides a comprehensive library of preconfigured standards to assess operating systems, databases, applications, and network devices against industry-recommended best practices such as CIS Benchmark, Vendor Recommended Hardening Guidelines such as Microsoft SCM, and many more as required in section 1 of the guidelines, requiring that “banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.” This point is expanded on in sections 2 & 7 of the guidelines, requiring “the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis.”  Qualys Policy Compliance provides recurring automation of assessment of your technical controls which is a key metric in enforcement of IT Security Policies and a critical variable in determining potential exposure to IT Security Risks as mentioned throughout the guidelines.  Support for the leading operating systems, applications, databases and network devices are provided. Network device assessment such as routers and firewalls, are key requirements of section 9.

Qualys Policy Compliance introduces a new Mandate-based reporting capability to easily see how effective controls are in the organization, and allow you to easily report on implicit requirements in the section 5 of the guidelines, as well as other industry and regulatory mandates that most financial organizations are required to comply with, such as PCI.

With Policy Compliance, as required by section 7 & 8, repeated frequent assessments of security controls can be performed, and control requirements can easily be implemented to measure and assess a bank’s unique minimum baseline requirements with coverage and validation of many of the requirements defined in Annex 1 of the guidelines.

Section 10 requires preservation of Confidentiality, Integrity, and Availability of personal, sensitive, and critical data.  With PC, you can validate appropriate controls for data are in place including validation of permissions and related filesystem and database security settings.

Security Assessment Questionnaire (SAQ) enables you to collect and analyze information about your business easily, quickly, and without reinventing the wheel. With this service, you can expand the scope of risk and compliance data beyond technical vulnerabilities to verify that third-party vendors are in compliance with emerging regulatory requirements. By automating a traditionally manual process, Qualys Security Assessment Questionnaire frees you from unreliable and labor-intensive approaches such as email and spreadsheets and optimizes the accuracy of your audit results.

With out-of-the-box questionnaire templates, you can quickly derive the posture of procedural RBI guideline elements such as Vendor Risk Management or user awareness, and verify that these procedural controls are enforced and measured internally (Section 16 and 18) and by third-party vendors and partners as required in (Section 18).

AssetView (AV) is a cloud-based asset inventory service that provides visibility and actionable data on global IT assets within an organization, per the requirements in Section 5. AssetView stores and indexes both IT and security data, including installed software, allowing you to search, track, and tag critical assets.  It is critical to identify all assets in the environment in order to secure, protect, and continuously assess the environment.  AssetView is tightly integrated with the other Qualys modules such as VM and PC, ensuring that you maintain an ongoing and effective assessment of critical assets.

ThreatPROTECT (TP) is a cloud-based solution that helps IT professionals automatically prioritize the vulnerabilities that pose the greatest risk to your organization by correlating active threats against your vulnerabilities.

ThreatPROTECT also includes a Live Threat Intelligence Feed where Qualys security engineers continuously validate and rate new threats from internal and external sources as required in Section 1, highlighting emerging concerns about vulnerabilities that pose an immediate risk to your business with details about which assets may be affected.

Quickly see how your systems are exposed to active threats such as zero-days, denial-of-service attacks, actively attacked vulnerabilities, easy exploits requiring little skills, vulnerabilities lacking a patch as required by Section 12 of the RBI Guidelines.  You can measure your progress and remediation efforts with real-time trend analysis and receive notifications when critical exposures emerge.

Vulnerability Management (VM) gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously secure your IT infrastructure as required by the RBI Cyber Security Guidelines as required in Section 6.

VM can be supplemented with Continuous Monitoring (CM), a new VM and network security approach that enables customers to immediately identify and proactively address potential problems – allowing immediate notification of the SOC (Section 13) of a potential exposure, and enabling continuous surveillance of both internal and external hosts as required in (Section 6).

Web Application Scanning (WAS) is a scalable Dynamic Application Scanning Tool that can detect critical vulnerabilities in web applications. It can help banks implement the RBI guidelines for Vulnerability assessment & Penetration Test & Red Team Exercises, Application Security Life Cycle, Patch/Vulnerability & Change Management. WAS detects vulnerabilities using best practice baselines such as the Open Web Application Security Project (OWASP) and provides actionable data and metrics to track and address those vulnerabilities. It empowers teams to incorporate regular security testing and vulnerability assessment in their Application Security Life Cycle so that they can detect and fix critical vulnerabilities early in development cycle and can minimize security issues in production.

More specifically, WAS will help implement the following RBI guidelines and many more: 6.9 regarding adequate evaluation of existing/evolving security threats, 7.4 regarding periodic VA/PT of internet facing web/mobile applications, 7.5 regarding periodic application security testing of web/mobile applications and 18.4 regarding keeping track of actions necessitated by findings of VA/PT.

Web Application Firewall (WAF) can be an integral part of your multi-layered application security infrastructure and help implement the RBI guidelines of Advanced Real-Time Threat Defense and Management (Section 13), Patch/Vulnerability & Change Management (Section 7) and Application Security Lifecycle (Section 6). It performs real-time inspection of HTTP (S) traffic to detect and block serious application attacks and provides detailed information about the critical security events. Security teams can implement virtual patches in WAF to protect against zero-day exploits and to address specific vulnerabilities detected by WAS.

Get a Qualys Suite Trial

To evaluate how Qualys products can help you implement various aspects of the RBI guidelines, please sign up for a Qualys Suite trial.