17. Information System Audit
17.1 Authorised non-bank entities shall submit the System Audit Report, including cyber security audit conducted by CERT-IN empaneled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.
17.2 Banks shall also be guided by the RBI circular DBS.CO/CSITE/BC.11/33.01.001/2015-16 on Cyber Security Framework in Banks dated June 02, 2016, which inter alia, covers requirements for mobile-based applications.
17.3 The scope of the Audit shall include the following:
a) Security controls shall be tested both for effectiveness of control design (Test of Design– ToD) and control operating effectiveness (Test of Operating Effectiveness – ToE).
b) Technology deployed so as to ensure that the authorised payment system is being operated in a safe, secure, sound and efficient manner.
c) Evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc.
d) Evaluating adequacy of Information Security Governance and processes of those which support payment systems.
e) Compliance as per security best practices, specifically the application security lifecycle and patch / vulnerability and change management aspects for the authorised system and adherence to the process flow approved by RBI.
f) Comment on the deviations, if any, in the processes followed from the process flow submitted to RBI while seeking authorisation.
17.4 All PPI issuers shall, at the minimum, put in place following framework:
a) Application Life Cycle Security: The source code audits shall be conducted by professionally competent personnel / service providers or have assurance from application providers / OEMs that the application is free from embedded malicious / fraudulent code.b) Security Operations Centre (SOC): Integration of system level (server), application level logs of mobile applications (PPIs) with SOC for centralised and co-ordinated monitoring and management of security related incidents.
c) Anti-Phishing: PPI issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites / rouge applications in the wake of increase of rogue mobile apps / phishing attacks.
d) Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system.
e) Vendor Risk Management:
(i) PPI issuer shall enter into an agreement with the service provider that amongst others provides for right of audit / inspection by the regulators of the country;
(ii) RBI shall have access to all information resources (online / in person) that are consumed by PPI provider, to be made accessible to RBI officials when sought, though the infrastructure / enabling resources may not physically be located in the premises of PPI provider;
(iii) PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders;
(iv) PPI issuer shall review the security processes and controls being followed by service providers regularly;
(v) Service agreements of PPI issuers with provider shall include a security clause on disclosing the security breaches if any happening specific to issuer’s ICT infrastructure or process including not limited to software, application and data as part of Security incident Management standards, etc.
f) Disaster Recovery: PPI issuer shall consider having DR facility to achieve the Recovery Time Objective (RTO) / Recovery Point Objective (RPO) for the PPI system to recover rapidly from cyber-attacks / other incidents and safely resume critical operations aligned with RTO while ensuring security of processes and data is protected.