RBI ITGRCA Master Direction 2023

RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2023. Covers IT governance structure (IT Strategy Committee, IT Steering Committee, Head of IT), IT services management, IT risk management, business continuity, and Information Systems audit. Applicable to banks, NBFCs, AIFIs, and Credit Information Companies.

Composition

55 controls currently indexed; participates in 31 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Authentication architecture and multi-factor authentication
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Board-level IT/IT Strategy Committee with documented charter
• Business continuity and ICT recovery readiness
• Centralised logging with retention, tamper protection, and integrity
• Change management — IT systems, configuration, supplier services, risk
• Comprehensive asset inventory with classification and ownership
• Cryptographic controls, key management, and post-quantum readiness
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data-at-rest protection — encryption, access, processor controls
• DevSecOps maturity — security-as-code, pipeline-enforced controls, API security
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• Physical access controls — secure areas, entry monitoring, asset protection
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure configuration baselines and hardening discipline
• Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
• Software installation discipline — authorised software, configuration, source code access
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls