New Guidelines on Information Technology (IT) Governance for Regulated Entities (REs)

What are the new guidelines on Information Technology (IT) Governance for Regulated Entities (REs)?

• The REs have been mandated to put in place a robust IT governance framework to cover focus areas like strategic alignment, risk and resource management performance, and Business Continuity/Disaster Recovery Management.
• This framework should specify the governance structure and processes necessary to meet the RE’s business/strategic objectives.
• The framework will specify the roles (including authority) and responsibilities of the Board of Directors, board-level Committee, and Senior Management. 
• It will also address the issue of adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risks.
• The enterprise-wide risk management policy or operational risk management policy will incorporate periodic assessments of IT-related risks (both inherent and potential risks).
• The board of RE would approve the strategies and policies related to IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management/Cyber Crisis Management). They should review such strategies and policies at least annually.
• IT strategy committee (ITSC):
  • The RE will establish a Board-level IT Strategy Committee (ITSC), which will comprise a minimum of three directors.
  • Its chairman would be an independent director and carry substantial expertise in managing/guiding information technology initiatives.
  • The ITSC should meet at least on a quarterly basis.
  • The committee will ensure that the RE has put an effective IT strategic planning process in place and will guide in preparation of IT strategy and ensure that the IT strategy aligns with the overall strategy of the RE towards accomplishment of its business objectives.
• The guidelines mandate REs to establish an IT steering committee with representation at senior management level from IT and business functions.
  • This committee will assist the ITSC in strategic IT planning, oversight of IT performance and aligning IT activities with business needs, and will oversee the processes put in place for business continuity and disaster recovery.
  • It will also ensure implementation of a robust IT architecture meeting statutory and regulatory compliance.
• Every IT application, which can access or affect critical or sensitive information, shall have necessary audit and system logging capability and should provide audit trails. 
  • The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements.
  • The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes.

Q1) What are audit trails?

An audit trail is a date and time-stamped record of the history and details around a transaction, work event, product development step, control execution, or financial ledger entry. Almost any type of work activity or process can be captured in an audit trail, whether automated or manual. Different fields will have audit trails that exist in a variety of forms to capture their unique areas of focus, but the overarching theme and purpose of the audit trail is to track a sequence of events and actions in chronological order. 

Source: New IT regime for regulated entities from April 1: RBI