RBI Cyber Security Framework

RBI Cyber Security Framework for banks, NBFCs and payment system providers (2 June 2016 + amendments). Layered with RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (April 2024) and Master Direction on Cyber Resilience and Digital Payment Security Controls (July 2024) for non-bank PSOs. Level 4 (Maturing) controls include zero trust, post-quantum cryptography readiness, DevSecOps, CSPM, API security, threat hunting, SOAR, threat intel platform, AI cyber resilience (FREE-AI nexus), crisis communications, cyber range, and resilience scoring.

Composition

60 controls currently indexed; participates in 42 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI post-deployment monitoring and incident response
• AI principles — Seven Sutras + ISO 42001 + NIST + EU AI Act literacy
• Anti-malware protection with EDR and email/web safeguards
• Authentication architecture and multi-factor authentication
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Business continuity and ICT recovery readiness
• CISO role — independence, authority, Board access
• Centralised logging with retention, tamper protection, and integrity
• Change management — IT systems, configuration, supplier services, risk
• Cloud Security Posture Management — continuous configuration assessment
• Comprehensive asset inventory with classification and ownership
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cryptographic controls, key management, and post-quantum readiness
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data localisation — DPDPA SDF traffic data + sectoral requirements
• DevSecOps maturity — security-as-code, pipeline-enforced controls, API security
• Forensic capability and evidence collection
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• India-specific AI risk classification reflecting societal context
• Multi-regulator incident notification with coordinated submission timelines
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Network segmentation with zero-trust principles
• PCI DSS PAN protection — storage minimisation, masking, encryption
• PCI DSS v4.0.1 universal MFA expansion to all CDE access
• Physical access controls — secure areas, entry monitoring, asset protection
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Secure configuration baselines and hardening discipline
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• Software installation discipline — authorised software, configuration, source code access
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls
• Zero Trust Architecture — never trust, always verify