NRB IT Policy and Guideliness 2012(2067) | Loksewa IT Engineers 2079

Q. Write down the major areas covered by NRB IT guidelines 2012(NRB IT Policy 2067). (10)

answer:

NRB has formulated the IT policy for its own implementation and for all licensed banks and financial institutions. The Nepal Rastra Bank formulates its own information technology guidelines (NRB IT Guidelines). NRB's IT policy has the following objectives:

• Ensure that IT infrastructure is stable, secure, and standardized.
• Ensure the confidentiality, integrity, and availability of information.
• To increase awareness of the IT system in order to increase efficiency, effectiveness, and economy.
• Minimizing IT-related risks.
• Ensure that the financial sector's information system operates efficiently.

The major areas covered by NRB IT guidelines 2012(2068 B.S) are:

1) IT Governance

• The use of IT resources by a bank should be efficient, effective, and economical in order to satisfy the bank's business demands.
• It is important for risk management policies to consider IT-related risks.
• Before adopting a new technology or system, a bank needs to perform a detailed risk analysis.
• Banks should monitor and measure the performance of their IT functions and report to appropriate management levels.

2) Information Security

• A bank should harden their system, which means that their OS, firewall, and system software should be configured with the highest level of security.
• The bank should maintain a comprehensive mechanism to protect itself against computer viruses.
• Secure cryptographic techniques and end-to-end encryption should be used by banks to protect customer PINs, user passwords and other sensitive information.
• All ATMs should be equipped with CCTV systems and appropriate lighting.
• To safeguard their web applications and databases, banks should implement adequate security measures.

3) Information Security Education

• A bank should implement an information security awareness program and periodically conduct it among its employees, vendors, customers, and other concerned parties.
• Ensure that customers are adequately educated so that they are able to conduct banking operations securely.
• It is important for banks to use appropriate customer authentication systems when accessing their systems.

4) Information Disclosure and Grievance Handling

• Banks should provide clear information about the dispute resolution process in case of security breaches or fraudulent account access.
• The website of a bank should include information about their security and privacy policies as well as fees and commissions.
• If a customer complains, the bank shall handle the grievance.
• Banks should inform their customers clearly about the risks and benefits of e-banking, online banking, and mobile banking.

5) Outsourcing Management

• Banks should ensure that their service providers can provide the performance, reliability, capacity, and security that they require.
• Before entering into an outsourcing agreement, a bank should evaluate the economic, social, and political risks.
• Banks should ensure that outsourcing agreements do not adversely affect the quality and availability of banking services.

6) IT Operations

• A safe environment for IT operation should be ensured by the board and higher management.
• In order to deliver timely, reliable, secure information, banks should have adequate hardware, software, and operating capabilities.
• IT risk assessments should be conducted periodically by banks.

7)  IT Disaster Recovery and Business Continuity Planning 

• Business continuity planning (BCP) frameworks have become more critical with the introduction of the electronic delivery channel and 24/7 service availability.
• BCPs should consider all potential manmade and natural disasters, security threats, regularity requirements, and outsourcing dependencies.
• In order to maintain a 'fail-safe system' with minimum downtime, a bank needs to maintain an economic, efficient, and effective disaster recovery system

8) Information System Acquisition, Development, and Implementation

• Inadequate testing and bad design contribute to many software failures.
• Security requirements should be met by applications that handle customer financial information.
• Prior to implementing the system, all vulnerabilities, loopholes, and defects should be fixed.

9) Information System Audit

• A bank should conduct periodic IS audits to ensure that the controls framework and security procedures are effective.
• An external IS auditor should be appointed if the bank does not have enough staff.

10) Fraud Management

• In order to submit a report to Nepal Rastra Bank, a bank should identify and document all electronic attacks.
• A customer should be informed about fraud and how to identify, avoid, and protect against it.

 Nepal Rastra Bank NRB IT Policy

The various NRB IT Policy are described below:

• Achieve efficient, effective and economic IT operation by implementing appropriate IT systems, such as Financial Information Systems (FIS), Management Information Systems (MIS), Enterprise Resource Planning Systems (ERPs), Real-time Gross Settlement Systems (RTGS), Scripless Security Settlement Systems (SSSS), etc.
• Ensure that physical IT infrastructure is well-structured, secure, and properly documented.
• Ensure information security at multiple levels.
• Implement an audit of IT systems.
• Maintain a data backup and recovery policy by developing, implementing and maintaining it.
• Maintain a Disaster Recovery Planning (DRP) System that is efficient, effective, and economically feasible so that the system is a "fail safe system" with little downtime. In addition, develop and maintain a Business Continuity Plan (BCP).
• Implement IT outsourcing and third-party involvement mechanisms.
• Ensure that all offices have a uniform and legitimate IT infrastructure.
• Provide IT directives to banks and financial institutions that are licensed.
• Standardize IT procurement and monitor it as technology changes.
• Implement a "NRB IT Code of Conduct" to ensure proper use of IT resources at the NRB.
• Enhance the capacity building of employees in information technology

These guidelines and policies are intended to regulate and guide IT-related activities in commercial banks with the aim of strengthening banks to deal with emerging cyber frauds, manage information technology prudently and reduce risks associated with IT implementation.

Send us more question, we will provide the solution.

Thank You! Stay Safe.

@missionofficer