Information Technology Policy

Reserve Bank of India vide its circular RBI/DNBS/2016-17/53 (Master Direction DNBS. PPD.No.04/66.15.001/2016-17) of June 8, 2017 has given guidelines for Information Technology Framework for the NBFC sector (“Guidelines”). These Guidelines aim to enhance safety, security, efficiency in processes leading to benefits for NBFCs and their customers. NBFCs, pursuant to these Guidelines, are required to conduct a formal gap analysis between their present status and stipulations as set out in the Guidelines and put in place a time-bound action plan to address the gap.

This IT Framework falls within the scope of Section B of the Guidelines i.e. NBFCs with asset size of below INR 500 crores (Indian Rupees Five Hundred Crores only).

IT governance is an integral part of corporate governance of NBFC, and effective IT governance is the responsibility of the board of directors of NBFC (“Board”) and its executive management.

NBFC has designated a board member as the Chief Information Officer (“CIO”) of its IT operations and the Board exercises oversight on the CIO. The CIO ensures implementation of this IT Framework which, inter alia, includes (i) Security aspects; (ii) User Role; (iii) Information Security and Cyber Security; (iv) Business Continuity Planning Policy; (v) Back-up Data. For the purpose of effective implementation of this IT Framework, the CIO shall ensure technical competence at senior/middle level management of NBFC. The CIO is also responsible for periodic assessment of the IT training requirements to ensure the availability of sufficient, competent and capable human resources in NBFC.

SECURITY ASPECTS

      1. Password Policy

    All users are responsible for keeping their passwords secure and confidential. The password credentials of the users must comply with the password parameters (“Complexity Requirements”) and standards laid down in this IT Framework. Passwords must not be shared with or made available to anyone in any manner that is not consistent with this IT Framework.

    The Complexity Requirements for setting passwords are as follows:

        • A strong password must be at least 8 (Eight) characters long.
        • It should not contain any of the user’s personal information—specifically his/her real name, user name, or even company name.
        • It must be very unique from the passwords used previously by the users.
        • It should not contain any word spelled completely.
        • It should contain characters from the four primary categories i.e. uppercase letters, lowercase letters, numbers, and characters.
        • To ensure that a compromised password is not misused on a long-term basis, users are encouraged to change the password every 30 (Thirty) days.
        • Passwords must not be stored in readable form in computers without access control systems or in other locations where unauthorized persons might discover them. Passwords must not be written down and left in a place where unauthorized persons might discover them.
        • Immediately upon assignment of the initial password and in case of password “reset” situations, the password must be immediately changed by the user to ensure confidentiality of all information.
        • Under no circumstances, the users shall use another user’s account or password without proper authorization.
        • Under no circumstances, should the user share his/her password(s) with other user(s), unless the said user has obtained from the concerned branch manager/IT head the necessary approval in this regard. In cases where the password(s) is shared in accordance with the above, the user shall be responsible for changing the said password(s) immediately upon the completion of the task for which the password was shared.

          1. Access Controls

            • Access to the NBFC’s electronic information and information systems, and the facilities where they are housed, is a privilege that may be monitored and revoked without notification. Additionally, all access is governed by law and NBFC policies including but not limited to requirements laid down in this policy.
            • Persons or entities with access to the NBFC’s electronic information and information systems are accountable for all activities associated with their user credentials. They are responsible to protect the confidentiality, integrity, and availability of information collected, processed, transmitted, stored, or transmitted by NBFC, irrespective of the medium on which the information resides.
            • Access must be granted on the basis of least privilege – only to resources required by the current role and responsibilities of the person.

          • Requirements:

            BACK-UP OF DATA WITH PERIODIC TESTING

                • In order to prevent loss of information by destruction of the magnetic means in which it is stored, a periodic backup procedure is carried out. The responsibility of backing up the information located in shared access servers is the network administrators’.
                • Restoration testing on a time to time basis is done as both hard disks and magnetic tapes are prone to errors. As a general rule, daily full backup happens for all critical business application and a complete weekly full backup is carried out including file servers/old data kept on servers.

              The Board approves of this IT Framework and has overall charge of the operational functions of NBFC. The Board is further responsible for timely amending this IT Framework pursuant to its operations and/or any change in the regulations or new regulations issued by the RBI in relation to this IT Framework.

              BUSINESS CONTINUITY PLANNING(BCP)

                  • BCP forms a significant part of any organisation’s overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP at NBFC is also designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. 
                  • NBFC requires its service providers to develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures. NBFC ensures that the service provider periodically tests the Business Continuity and Recovery Plan and occasionally conducts joint testing and recovery exercises with its service provider
                  • In order to mitigate the risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, NBFC retains an appropriate level of control over their outsourcing and the right to intervene with appropriate measures to continue its business operations in such cases without incurring prohibitive expenses and without any break in the operations of NBFC and its services to the customers.
                  • NBFC ensures that service providers are able to isolate NBFC’s information, documents and records and other assets. In appropriate situations, NBFC can remove, all its assets, documents, records of transactions and information given to the service provider, from the possession of the service provider in order to continue its business operations, or delete, destroy or render the same unusable.
                  • NBFC also has in place necessary backup sites for their critical business systems and Data canters.
                  • These plans are also tested by NBFC on a regular basis. The results along with the gap analysis are placed by the CIO before the Board.

                BACK-UP OF DATA WITH PERIODIC TESTING

                  • In order to prevent loss of information by destruction of the magnetic means in which it is stored, a periodic backup procedure is carried out. The responsibility of backing up the information located in shared access servers is the network administrators’.
                  • Restoration testing on a time to time basis is done as both hard disks and magnetic tapes are prone to errors. As a general rule, daily full backup happens for all critical business application and a complete weekly full backup is carried out including file servers/old data kept on servers.

                The Board approves of this IT Framework and has overall charge of the operational functions of NBFC. The Board is further responsible for timely amending this IT Framework pursuant to its operations and/or any change in the regulations or new regulations issued by the RBI in relation to this IT Framework.

                    1. All users must use a unique ID to access NBFC’s systems and applications.
                    2. Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
                    3. Remote access to NBFC systems and applications must use a two-factor authentication where possible

                  1. System and application sessions must automatically lock after 10 (Ten) minutes of inactivity.

                  INFORMATION SECURITY AND CYBER SECURITY

                        1. Information Security:

                      NBFC has an information security framework with the following principles:

                          1. Cyber Security

                            1. Confidentiality

                          BUSINESS CONTINUITY PLANNING(BCP)

                          BACK-UP OF DATA WITH PERIODIC TESTING

                          The Board approves of this IT Framework and has overall charge of the operational functions of NBFC. The Board is further responsible for timely amending this IT Framework pursuant to its operations and/or any change in the regulations or new regulations issued by the RBI in relation to this IT Framework.

                          Get in Touch