Nepal Rastra Bank IT Guideline Contents
Introduction to Nepal Rastra Bank IT Guidelines
In the current time, information technology is the key to our everyday work. Being the nation’s central bank, Nepal Rastra Bank IT Guidelines aims to set a standard for the use and implementation of information technology within the supervised organizations i.e. banks and financial institutions.
The NRB IT Guidelines refer to the Information Technology Guidelines published by Nepal Rastra Bank in August 2012. NRB stands for Nepal Rastra Bank, Nepal’s central bank. It is published by the Bank Supervision Department of Nepal Rastra Bank.
Objectives of Nepal Rastra Bank IT Guideline
The purpose of the NRB IT Guidelines is to promote sound and robust technology risk management and to strengthen system security, reliability, availability, and business continuity in commercial banks of Nepal. It aims to guide Nepalese banks on IT governance, security, risk management, and other IT-related issues.
Coverage of Nepal Rastra Bank IT Guidelines
The key topics covered in the NRB IT Guidelines include:
- IT Governance – IT strategy, policies, organizational structure, performance monitoring, risk management
- Information Security – Access controls, data encryption, network security, physical security, audit trails
- Information Security Education – Awareness programs for employees and customers
- Information Disclosure and Grievance Handling
- Outsourcing Management – Due diligence, monitoring, regulatory access
- IT Operations – Change management, migration, availability
- Systems Acquisition, Development, and Implementation
- Business Continuity and Disaster Recovery Planning
- IS Audit
- Fraud Management – Reporting of electronic attacks and frauds
Features of Nepal Rastra Bank IT Guideline
The IT Guidelines of Nepal Rastra Bank, the central bank of Nepal, cover a wide range of topics related to IT governance, information security, education, and outsourcing management. Some of the key features of these guidelines include:
- IT Governance: The guidelines emphasize the importance of IT governance and recommend that banks have a board-approved IT strategy and policy that is reviewed annually. They also suggest that banks have detailed operational procedures and guidelines to manage all IT operations.
- Information Security: The guidelines provide recommendations for information security, including the need for banks to have a comprehensive information security policy, conduct regular risk assessments, and implement appropriate security controls.
- Education and Disclosure: The guidelines recommend that banks provide clear information to their customers about the risks and benefits of using e-banking delivery services. They also suggest that banks educate customers on which protections are provided and not provided in each of their delivery channels.
- Outsourcing Management: The guidelines provide best practices for outsourcing management, including the need for banks to evaluate the risks before entering into outsourcing agreements, ensure that outsourcing service providers implement adequate internal controls, and ensure that outsourcing of IT operations does not interfere with or obstruct regulatory activities.
- Fraud Management: The guidelines provide recommendations for fraud management, including the need for banks to identify and document all electronic attacks and suspected electronic attacks in their system and report them to Nepal Rastra Bank monthly. They also suggest that customers be made aware of fraud along with fraud identification, avoidance, and protection measures.
Summary of NRB IT Guidelines
The IT Governance topic in the Nepal Rastra Bank IT Guidelines emphasizes the importance of effectively managing and overseeing IT resources to support and enable business goals. Key points include:
- Board-Approved IT Strategy and Policy: Banks are expected to have a board-approved IT strategy and policy, reviewed at least annually, with long-term strategy mapped to short-term strategy periodically.
- Operational Procedures and Guidelines: Detailed operational procedures and guidelines are recommended to manage all IT operations, covering planning, implementation, monitoring, and reporting.
- IT Risk Management: Banks are encouraged to assess IT-related risks and incorporate them into the bank’s risk management policy, with periodic updates of the risk management being essential.
- Compliance with International IT Control Frameworks: Implementing international IT control frameworks such as COBIT is encouraged, demonstrating a commitment to aligning with globally recognized best practices in IT governance.
- Awareness at the Board Level: The guidelines stress the importance of the board being adequately aware of the IT resources of the bank and ensuring that they are sufficient to meet the business requirements.
Overall, the IT Governance topic underscores the need for a strategic and well-governed approach to managing IT resources, ensuring alignment with business objectives, and mitigating IT-related risks.
Components of Nepal Rastra Bank IT Guidelines
The following are the components covered in the IT Guideline of Nepal Rastra Bank.
#1. IT Governance:
Here is a summary of the IT Governance section in the Nepal Rastra Bank IT Guidelines:
- Banks should have a board-approved IT strategy and policies that are reviewed annually. The long-term strategy should be mapped to short-term plans.
- The organizational structure for IT should suit the bank’s business activities. Broad functions include Development, Technology, IT Operations, and Information Assurance.
- Assess periodic training needs of IT personnel based on the bank’s IT functions.
- Have performance monitoring and measurement systems for IT functions, reported to management.
- Consider IT risks in overall risk management policies. Periodically update policies.
- Implement international IT control frameworks like COBIT as applicable.
- The Board should oversee IT resources to ensure alignment with business needs.
- Appoint a senior Information Security Officer to enforce security policies.
- Conduct risk analysis before adopting any new technology or system.
- Have processes to address legal risks from cyber laws and electronic transactions.
In summary, the guidelines emphasize having comprehensive IT governance with appropriate strategies, policies, organizational structure, risk management, performance monitoring, and regulatory compliance.
#2. Information Security
The Information Security topic in the Nepal Rastra Bank IT Guidelines focuses on safeguarding information assets and mitigating security risks. Key points include:
- Have a board-approved security policy covering all electronic channels and payment systems. Communicate to employees, vendors, etc.
- Conduct periodic risk assessments of assets impacting confidentiality, integrity, and availability of information. Implement access controls on a need-to-know basis.
- Harden systems, and implement strong encryption, firewalls, and antivirus protections. Ensure secure audit trails to meet legal/regulatory requirements.
- Use secure protocols and multifactor authentication for internet, mobile, and card banking. Educate customers on safe usage.
- Have a data security policy covering aspects like encryption, media storage/transit, and data disposal. Add controls for wireless networks.
- Classify and protect information assets based on criticality. Conduct additional screening of privileged users.
- Continuously assess vulnerabilities and implement compensating controls. Clarify regulations for outsourced/offshored data.
- Install CCTV at ATMs without capturing PINs. Ensure card and PIN security during production and delivery.
- Consider replacing signature-based card systems with PIN-based systems. Evaluate migration to chip-based cards.
- Provide instant alerts and second-factor authentication for online card use. Allow mobile banking only in local currency. Use multifactor authentication for large online transfers.
In summary, the Information Security topic in the guidelines covers a wide range of measures, including risk assessment, access authorization, physical and environmental controls, legal risk management, customer education, and specific security measures for ATM, debit/credit cards, and customer communication, to ensure the confidentiality, integrity, and availability of bank information and systems.
#3. Information Security Education
The Information Security Education topic in the Nepal Rastra Bank IT Guidelines emphasizes the importance of educating customers and stakeholders to conduct banking operations securely in the digital era. Key points include:
- Customer Education: With the introduction of electronic delivery channels, customers are encouraged to conduct banking operations securely, and banks are responsible for educating customers on fraud identification, avoidance, and protection measures.
- Stakeholder Education: To create effective information security practices, it is important to educate other stakeholders, including employees, on the evolving challenges of authenticating customers and defending against illegal access to customer accounts.
- Multi-Factor Authentication: As the risk of cyber attacks increases, banks are advised to implement more than one factor for authenticating critical activities like fund transfers through Internet banking, with the authentication methodology commensurate with the risk of Internet banking.
In summary, the Information Security Education topic underscores the need for comprehensive education programs targeting both customers and stakeholders to ensure secure banking operations in the digital environment, including multi-factor authentication to mitigate cyber risks.
#4. Information Disclosure and Grievance Handling
The section on “Information Disclosure and Grievance Handling” in the Nepal Rastra Bank IT Guidelines outlines the responsibilities of banks in providing clear information to customers and handling grievances related to electronic banking services. Here’s an explanation of the key points:
- Clear Information Provision: Banks are required to provide precise information about the services, costs, security features, risks, and benefits of electronic banking environments to customers. This includes detailing the responsibilities, obligations, and rights of both customers and the bank regarding electronic transactions.
- Dispute Resolution Process: Banks should publish clear information about the dispute or problem resolution process in the event of security breaches or fraudulent access to a customer’s account. This includes clearly explaining the conditions under which losses will be attributable to the bank or the customers.
- Privacy and Security Policy: Banks are expected to publish customer privacy and security policies, as well as the cost of transactions, on their website or at the time of subscription to electronic delivery channels. This information should be relevant and helpful for customers to make informed decisions about subscribing to electronic delivery channels.
- Transaction Cost Information: Banks should clearly inform users about the transaction costs at each ATM location or electronically before customers commit to transactions from ATMs and other electronic delivery channels.
- Dispute Handling Mechanism: Banks are required to develop a dispute handling mechanism with an expected timing of the bank’s response to handle disputed payments, transactions, and other issues in electronic banking delivery channels.
- Grievance Handling: Banks are responsible for grievance handling in the case of customer complaints regarding disputed transactions. The procedure for handling grievances should be formulated by the bank.
- Risks and Benefits Communication: Banks should provide clear information to customers about the risks and benefits of using e-banking delivery services. This includes educating customers on the protections provided and not provided in each of the delivery channels, enabling customers to make informed decisions about choosing such services.
In summary, this section emphasizes the importance of transparent communication and customer-centric approaches in providing electronic banking services, including clear information provision, dispute resolution processes, privacy and security policies, transaction cost transparency, and effective grievance handling mechanisms.
#5 Outsourcing Management
The Outsourcing Management section of the Nepal Rastra Bank IT Guidelines outlines the responsibilities and considerations for Nepalese banks when outsourcing IT functions. Key points include:
- Responsibility and Oversight: Board and senior management are responsible for due diligence, oversight, and management of risks associated with outsourcing. The accountability of outsourcing decisions rests with the board and bank management.
- Risk Evaluation: Banks should evaluate the risks associated with outsourcing technical operations before entering into agreements, and this evaluation should be conducted periodically.
- Information Security and Privacy: All outsourced operations should adhere to the bank’s information security and privacy policy. Banks should ensure that service providers implement adequate internal controls, logical access controls, and physical security controls.
- Regulatory Compliance: Outsourcing of IT operations should not interfere with regulatory activities. Agreements should recognize the authority of regulatory bodies to inspect, supervise, or examine the service provider’s role, responsibilities, obligations, functions, systems, and facilities.
- Monitoring and Control: Banks should establish a process for monitoring and controlling outsourcing activities, commensurate with the nature, scope, complexity, and inherent risk of the outsourced activity. The performance of outsourced activities should be specified in agreed service levels and evaluated periodically.
- Ensuring Requirements: Banks are responsible for ensuring the availability, integrity, and confidentiality requirements, even if service providers are outsourcing some or all of their functions.
- Contingency Planning: Banks should ensure that the quality and availability of banking services are not adversely affected by outsourcing arrangements. Contingency planning should address the availability of alternate service providers or the possibility of canceling outsourcing activities and bringing them back in-house in urgent situations.
- Country Risk Factors: When outsourcing IT operations outside the country, banks should consider country risk factors such as economic, social, and political reasons. Effective mitigating controls and exit strategies should be developed if required. 9. Continuity of Critical Applications: Banks should have a suitable strategy in place to ensure the continuity of critical applications, including options to receive source code and updates from vendors or arrange software escrow agreements.
- Legal Jurisdiction and Regulations: Banks should clarify the jurisdiction for their data and applicable regulations at the beginning of an outsourcing or offshoring arrangement. This information should be reviewed periodically and in case of significant changes performed by the service provider.
In summary, this section emphasizes the importance of thorough evaluation, oversight, and risk management when outsourcing IT functions, as well as the need to ensure compliance with regulations, maintain service quality, and plan for the continuity of critical applications.
#6. IT Operations
The IT Operations section of the Nepal Rastra Bank IT Guidelines emphasizes the importance of ensuring the timely, reliable, and secure operation of IT infrastructure in banks. Key guidelines include:
- Oversight and Safe Environment: Board and higher management should oversee the functioning of IT operations and ensure a safe IT operation environment.
- Segregation of Duty: Adequate segregation of duty should be enforced in all IT operations, with documented standards and procedures for administering application systems based on the principle of least privilege and “need to know.”
- Joint Custody for Critical Functions: Critical system functions and procedures should be carried out in joint custody, including systems initialization, network security configuration, access control system installation, and more.
- Change Management Process: Banks need to implement a change management process to handle changes in technology and processes in a controlled manner, including recording, assessing, authorizing, prioritizing, planning, testing, implementing, documenting, and reviewing changes.
- Migration Policy and Audit Trail: Banks should have a documented migration policy with a migration methodology to ensure data completeness, integrity, confidentiality, and consistency. An audit trail of the older system should be available even after migration to a new system.
- Supervision of Authorized Access: Vendors, suppliers, or consultants authorized to access critical bank systems should be subject to close supervision, monitoring, and access control similar to internal staff.
- Service Availability: High availability of service is critical for the online environment. Banks should ensure they have adequate resources in terms of hardware, software, and other operating capabilities to deliver consistently reliable service, including maintaining standby components critical for availability.
- Periodic Risk Assessment: Banks should conduct periodic risk assessments of their IT environment, including human resources, technology, and processes. Suitable mitigating strategies should be in place to address probable events or activities that could adversely affect the bank’s operation or reputation.
In summary, the guidelines stress the need for strong oversight, security measures, change management processes, migration policies, and risk assessments to ensure the effective and efficient delivery of information and the reliable operation of IT infrastructure in banks.
#7. Information Systems Acquisition, Development, and Implementation
The Nepal Rastra Bank IT guidelines for Information Systems Acquisition, Development, and Implementation emphasize the importance of addressing security and performance requirements in software development. Key points include:
- Documentation of Requirements: User functional requirements, security requirements, performance requirements, and technical specifications should be documented and approved by the appropriate level of management before software development begins.
- Incorporation of Security Requirements: Information security requirements should be incorporated at each stage of the software development lifecycle. This includes aspects such as access control, authentication, transaction authorization, system activity logging, audit trail, data integrity, and security event tracking, in addition to business requirements.
- Audit Trail Requirements: All systems should have an audit trail detailed enough to be used as forensic evidence and should meet regulatory and legal requirements.
- Source Code Review: Banks are encouraged to conduct a source code review of the application to identify loopholes and defects resulting from poor programming practices, coding errors, or malicious attempts. Any vulnerabilities, loopholes, and defects found should be fixed before the system is implemented.
In summary, the guidelines stress the need for thorough documentation of requirements, incorporation of security measures throughout the development lifecycle, implementation of comprehensive audit trails, and the conduct of source code reviews to ensure the reliability and security of software handling financial information and customer data.
#8. Business Continuity and Disaster Recovery Planning
The Business Continuity and Disaster Recovery Planning guidelines for the banking sector stress the importance of continuous and reliable service, particularly in the context of electronic delivery channels and 24/7 services. Key points include:
- Business Continuity Planning (BCP) Framework: BCP aims to minimize financial, operational, legal, reputational, and other risks by ensuring continuity, resumption, and recovery of business processes. It includes policies, standards, and procedures, as well as business impact analysis, recovery strategies, testing, training, awareness, communication, and crisis management programs.
- Disaster Recovery Planning (DRP): DRP addresses the technical aspects of BCP and is an integral part of it, focusing on the fault tolerance of mission-critical systems in banking.
- BCP Policy and Procedures: Banks should have a board-approved BCP policy with detailed procedures and guidelines for prioritizing critical business functions, incident handling, risk management, resource allocation, and periodic review.
- Appointment of BCP Head: A senior officer should be appointed as the Head of Business Continuity Planning, responsible for developing and updating the BCP, prioritizing critical business activities, and overseeing testing, training, and recovery.
- Comprehensive Considerations: BCP should consider natural and man-made disasters, security threats, regulatory requirements, outsourcing dependencies, and international operations, addressing both technical and people aspects.
- Testing and Documentation: BCP should be periodically tested, including planned and unplanned testing of all aspects of the bank, and outcomes should be documented with necessary amendments made.
- Recovery Strategies: BCP should specify Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for business processes, with suitable data recovery strategies chosen in DRP to meet these requirements.
- Standby Site Arrangements: Banks can use their own standby site or outsource it, with various options available based on RPO and RTO requirements, and should adopt disaster mitigating strategies such as data mirroring, UPS and generator arrangements, and environmental controls.
- High Availability Design: Datacenters, disaster recovery solutions, enterprise networks, and branch or delivery channels should be designed and configured for high availability with no single point of failure.
- Physical Security and Integrity Checks: The location of critical equipment rooms should minimize the risk of disasters, and physical access should be restricted to authorized individuals. Periodic checks of transaction and data integrity between the data center and disaster recovery site are recommended.
- Incidence Response Plans: Banks should develop appropriate incident response plans, including communication strategies and outsourced services, to ensure business continuity, control reputational risk, and limit the liability of service disruption.
In summary, the guidelines emphasize the comprehensive nature of BCP, including testing, recovery strategies, high availability design, physical security, and incidence response planning to ensure the continuity and reliability of banking services.
#9. Information Security Audit
IS Audit is essential due to the increasing complexity of the IT environment in banks, which poses significant risks. Comprehensive risk management, incorporating various standard internal control frameworks, the bank’s own requirements, and regulatory requirements, is crucial. To ensure the effectiveness of the implemented controls framework and the adequacy of the adopted security plan and procedures, banks should conduct IS audits annually.
- Adequate Resources: The board or the audit committee should allocate sufficient resources to conduct the audit, ensuring that the audit team is capable of evaluating IT controls with comprehensive coverage.
- Outsourcing IS Audit: If the bank lacks the necessary staff or expertise to conduct the IS audit internally, it can be outsourced to an external professional provider. However, the responsibility for audit planning, risk assessment, and follow-up remains with the bank. The audit committee should ensure that the outsourced service provider possesses the expertise and experience required for IS audit, despite the outsourcing arrangement.
#10. Fraud Management
Nepalese banks are increasingly using electronic delivery channels, which introduces the risk of electronic fraud in the banking system. To address this, banks should adhere to the following guidelines:
- Identify and document all electronic attacks and suspected electronic attacks in their systems, reporting them to Nepal Rastra Bank on a monthly basis.
- Ensure that customers are informed about frauds, including how to identify, avoid, and protect themselves from potential fraudulent activities.
Summary Review and Conclusion
The Nepal Rastra Bank IT Guidelines provide comprehensive guidelines for banks and financial institutions to ensure the security and integrity of their IT systems. The guidelines cover various aspects of IT operations, including IT governance, information security, information disclosure and grievance handling, outsourcing management, information systems acquisition, development and implementation, business continuity and disaster recovery planning, IS audit, and fraud management.
The guidelines emphasize the need for regular risk assessments, access control, segregation of duties, change management, and performance monitoring. Banks are also encouraged to implement international IT control frameworks such as COBIT. The document highlights the importance of having a designated Information Security Officer (ISO) responsible for enforcing information security policies. Overall, the guidelines provide a comprehensive framework for banks and financial institutions to ensure the security and integrity of their IT systems.
Download and References
The Nepal Rastra Bank IT Guidelines, 2012 can be downloaded from the official website of the Nepal Rastra Bank. The download link is given here: Nepal Rastra Bank IT Guidelines, 2012.
If you want to download the summary explained on this page instead, you can also save this page as a pdf file using the save feature of Google Chrome or any other browser you are using.
Nepal Rastra Bank IT Guideline is a very important part of the banking sector, especially when you are preparing for Banking employment exams conducted for recruitment. In fact, it has been asked almost every year for every level of the candidate in the Public Service Commission’s examination.
Comments are closed.