← Frameworks / Regulatory

RBI Cyber Security Framework in Banks & Master Direction on IT Governance

India's mandatory cybersecurity framework for scheduled commercial banks, NBFCs, and financial institutions regulated by the Reserve Bank of India. Combines the 2016 Cyber Security Framework (24 baseline control areas covering SOC, network security, access control, incident reporting) with the 2023 Master Direction on IT Governance, Risk, Controls and Assurance Practices (ITGRCA) covering IT governance, infrastructure management, risk assessment, BCP/DR, and IS audit. Requires 2-6 hour incident reporting to RBI and CERT-In notification.

Clauses: 51

Avg Coverage: 76.7%

Publisher: Reserve Bank of India (RBI) Version: 2016/2023

RBI CSF → SP 800-53 SP 800-53 → RBI CSF Coverage Analysis

Clause	Title	SP 800-53 Controls
Annex1.1	Inventory Management of Business IT Assets	CM-08 CM-09 CM-12 PM-05 RA-09
Annex1.2	Preventing Execution of Unauthorised Software	CM-07 CM-10 CM-11 CM-14 SI-07 SI-16
Annex1.3	Environmental Controls	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
Annex1.4	Network Management and Security	SC-07 SC-08 AC-04 SI-04 SC-05 SC-20 SC-21 SC-22 SC-32 SC-47 CM-06
Annex1.5	Secure Configuration	CM-02 CM-03 CM-06 CM-07 CM-05 SC-41
Annex1.6	Application Security Life Cycle	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 SA-20 SA-21 CM-04
Annex1.7	Patch/Vulnerability and Change Management	SI-02 CM-03 CM-04 CM-05 RA-05 RA-07
Annex1.8	User Access Control and Management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-11 AC-12 IA-01 IA-02 IA-04 IA-05 IA-12 PS-04 PS-05
Annex1.9	Authentication Framework for Customers	IA-02 IA-05 IA-08 IA-12 SC-23 AC-07
Annex1.10	Secure Mail and Messaging Systems	SC-08 SI-08 SC-07 SC-13
Annex1.11	Vendor Risk Management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 SA-21 PS-07
Annex1.12	Removable Media	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08 SC-41
Annex1.13	Advanced Real-time Threat Defence and Management	SI-03 SI-04 SI-05 SC-44 SC-26 RA-10 PM-16 SC-35
Annex1.14	Anti-Phishing	SI-08 AT-02 AT-06 SC-07
Annex1.15	Data Leak Prevention Strategy	SC-07 SC-28 AC-04 MP-04 AC-23 SI-19 SI-20 PT-02 PT-03
Annex1.16	Maintenance, Monitoring and Analysis of Audit Logs	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-13 SI-04
Annex1.17	Audit Log Settings	AU-02 AU-03 AU-08 AU-09 AU-12 AU-14
Annex1.18	Vulnerability Assessment, Penetration Test and Red Team Exercises	CA-02 CA-08 RA-05 PM-14 RA-09 RA-10
Annex1.19	Incident Response and Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
Annex1.20	Risk-Based Transaction Monitoring	SI-04 AU-06 AU-13 AC-04 PM-16
Annex1.21	Metrics	PM-06 CA-07 PM-14 PM-31
Annex1.22	Forensics	AU-06 AU-09 AU-10 AU-11 IR-04 IR-09
Annex1.23	User/Employee/Management Awareness	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-15
Annex1.24	Customer Education and Awareness	AT-02 PM-27 PT-06
ITGRCA.4	IT Governance Framework	PM-01 PM-02 PM-03 PM-09 PL-01 PL-08 PL-09
ITGRCA.5	Role of Board of Directors	PM-01 PM-02 PM-09 PS-09
ITGRCA.6	IT Strategy Committee of the Board	PM-01 PM-02 PM-07
ITGRCA.7	Senior Management and IT Steering Committee	PM-01 PM-02 PM-03 PM-09 PM-29
ITGRCA.8	Head of IT Function	PM-02 PS-09
ITGRCA.9	IT Services Management	CM-03 SI-02 IR-04 CA-07 SI-13 SA-09
ITGRCA.10	Third-Party Arrangements	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 SA-21 PS-07 PM-30
ITGRCA.11	Capacity Management	AU-04 CP-02 SC-05 SI-13 PE-11
ITGRCA.12	Project Management	SA-03 SA-04 SA-15 PM-07 SA-20
ITGRCA.13	Change and Patch Management	CM-03 CM-04 CM-05 SI-02 RA-05 RA-07
ITGRCA.14	Data Migration Controls	CM-03 CM-04 SI-07 SA-10 MP-04 MP-05
ITGRCA.15	Audit Trails	AU-01 AU-02 AU-03 AU-06 AU-08 AU-09 AU-10 AU-11 AU-12 AU-14
ITGRCA.16	Cryptographic Controls	SC-12 SC-13 SC-08 SC-28 SC-17 IA-07
ITGRCA.17	Straight Through Processing	SI-07 SI-10 AC-04 AU-02
ITGRCA.18	Physical and Environmental Controls	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 PE-20
ITGRCA.19	Access Controls	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-11 AC-12 AC-16 AC-24 IA-01 IA-02 IA-04 IA-05 IA-06 IA-12
ITGRCA.20	Controls on Teleworking	AC-17 AC-19 AC-20 SC-08 SC-10 SC-23 PE-17
ITGRCA.21	Metrics	PM-06 CA-07 PM-14 PM-31
ITGRCA.22	Periodic Review of IT-Related Risks	RA-01 RA-03 RA-07 RA-09 PM-09 PM-28 CA-05
ITGRCA.23	IT and Information Security Risk Management Framework	PM-01 PM-09 RA-01 RA-03 PM-28 RA-07 RA-09 PL-09 PM-29 PM-30 PM-32
ITGRCA.24	Information Security Policy and Cyber Security Policy	PM-01 PL-01 PM-09 PM-10 PM-11 PM-24
ITGRCA.25	Risk Assessment	RA-01 RA-02 RA-03 RA-05 RA-07 RA-08 RA-09
ITGRCA.26	Vulnerability Assessment / Penetration Testing	CA-02 CA-08 RA-05 PM-14 RA-09 RA-10
ITGRCA.27	Cyber Incident Response and Recovery Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 CP-02 CP-10
ITGRCA.28	BCP and DR Policy	CP-01 CP-02 CP-03 CP-04 PM-08 PM-09 PM-11
ITGRCA.29	Disaster Recovery Management	CP-02 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13 SC-24 SI-17
ITGRCA.30	IS Audit	CA-02 CA-07 AU-06 CA-05 PM-14 CA-06