Department of Supervision, Central Office

Cyber Security & IT Risk (CSITE) Group

Handbook on Cybersecurity controls

related to Core Banking Solution and its
Ecosystem for Urban Cooperative Banks
(UCBs)
 Preface

Urban Cooperative Banks (UCBs) play an important role in the financial services
sector in the country. Though usage of Information Technology (IT) has substantially
increased in the UCBs especially in recent times, deployment of the IT systems and
processes have not been accompanied with commensurate IT/Cyber Security controls
and associated Governance framework, which makes them vulnerable to the ever-
expanding threat landscape. Non-sustenance of the control gaps increases their
vulnerability all the more when these banks provide payment services (NEFT, RTGS,
IMPS, etc.) to their customers 24*7 through mobile banking and internet banking
applications.

The modus operandi of recent cyber incidents at a few UCBs have highlighted the
concerns related to pervading control gaps in the CBS application and its ecosystem
of the UCB sector. Lack of implementation of baseline cybersecurity controls led to
compromise of critical fields in the CBS database in every case. Also lack of effective
monitoring of digital transactions resulted in fraudulent transactions initiated through
NEFT/RTGS over holiday/weekends not getting detected in time.

In line with the evolving IT/Cyber Security risks, the Reserve Bank of India has issued
necessary instructions and guidelines from time to time to ensure that cyber and IT
risks are addressed by banks throughout their journey of technological advancement.
Towards this, the Reserve Bank had issued a ‘Basic Cyber Security Framework for
Primary (Urban) Cooperative Banks (UCBs)1’ on October 19, 2018, and thereafter a
circular on ‘Comprehensive Cyber Security Framework for Primary (Urban)
Cooperative Banks (UCBs) – A Graded Approach2’ on December 31, 2019. This was
followed by release of the "Technology Vision for Cyber Security - 2020-2023" for
UCBs on September 24, 2020, for enhancing their cybersecurity posture. This Vision
Document envisages, among other things, providing targeted skill-oriented training
and certification programmes to all the UCBs to facilitate awareness of the cyber
security framework and help in implementing the IT and cyber security measures by

1
https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0
2
https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11772&Mode=0

| Page 2 of 13
the UCBs. A nation-wide initiative for Certification Training Programme for UCBs -
‘AVTU’ (Awareness Vriddhi Trainings for UCBs on Cyber Security Resilience
Framework) was launched by the RBI to train the Board Members and employees of
all the UCBs across the country by December 2023.

While the baseline cybersecurity controls mentioned in the above circulars cover the
overall cybersecurity aspects and need to be implemented by the banks in true spirit,
a need is felt to share certain granular controls related to CBS ecosystem, which are
relevant from the perspective of recent cyber security incidents and would help the
banks in mitigating some of the critical cyber risks observed recently.

I am hopeful that UCBs will find these controls useful and would implement them in
true spirit to build a more resilient UCB sector.

Date: December 30, 2022 T K Rajan

Chief General Manager

| Page 3 of 13
 Table of contents

S.No Particulars Page No.

Preface 2
1 Introduction 5
2 Security measures as per Cyber Security Framework 6
applicable to UCBs
3 Additional security measures specific to CBS application 9
4 Other security measures in CBS ecosystem 11

| Page 4 of 13
Introduction
Core Banking System (CBS) is a platform that
maintains master data and processes daily banking
transactions and updates customer accounts and
other financial records based on the transactions
carried out. The term CORE stands for Centralized
Online Real-time Environment, which implies that the
customer can experience the bank as a single entity,
regardless of their location – with the aim to provide
more independence for the customers in terms of
using their accounts and conducting transactions
from any location in the world.

While a CBS solution operates as a golden application for financial/ account data
management and is a composite solution with various components as front-end,
database, network connectivity etc.; the security controls around the CBS solution are
vital for any bank, for maintaining and increasing resiliency in cyber space.

List of indicative Cybersecurity controls for CBS

The cybersecurity controls can be classified in 3 categories as follows:

Security measures as per Cyber Security Framework applicable to UCBs

Additional security measures specific to CBS application
Other security measures in CBS ecosystem

It may be mentioned that the ultimate responsibility for enforcing these controls rests
with the Boards of the banks.

| Page 5 of 13
2.1 Security measures as per Cyber Security Framework applicable to UCBs:

2.1.1 Controls from Basic Cyber Security Framework for Primary UCBs, issued
on October 19, 2018-
2.1.1.1 Passwords should be set as complex and lengthy, and users should
not use same passwords for all the applications/ systems/ devices.

2.1.1.2 Internet usage, if any, should be restricted to identified standalone

computer(s) in the branch of a UCB which are strictly separate from
the systems identified for running day to day business. If allowed in
any of such end points, the same should be adequately secured
through proxy servers on an ongoing basis.
2.1.1.3 Put in place systems and processes to identify, track, manage and
monitor the status of patches to servers, operating system and
application software running at the systems.
2.1.1.4 Remote access to computers/servers/other IT systems over a network
or over the internet should be always disabled and should be enabled
only with the approval of the authorised officer of the UCB. Logs for
such remote access shall be enabled and monitored. Such access
should be immediately stopped, if logging and effective monitoring
mechanisms are not implemented.

| Page 6 of 13
2.1.1.5 Implement appropriate (e.g., centralised) systems and controls to
allow, manage, log and monitor privileged/super user/administrative
access to critical systems.
2.1.1.6 The end-users should be made aware to never click link or open or
download an attachment from email received from unknown sources.

| Page 7 of 13
2.1.2 Controls from Comprehensive Cyber Security Framework for Primary
UCBs, A Graded Approach, issued on December 31, 2019-
2.1.2.1 UCBs shall put in place two factor authentication for accessing their
CBS and applications connecting to the CBS, with the 2nd factor being
dynamic in nature.
2.1.2.2 The development/test and production environments need to be
properly segregated. The data used for development and testing
should be appropriately masked.
2.1.2.3 Software/Application development approach should incorporate
secure coding principles, security testing (based on global standards)
and secure rollout.
2.1.2.4 The bank must ensure to get the VAPT done of the IT infrastructure
wherever they have taken shared infrastructure hosting their CBS
application and get the relevant reports from the vendor.
2.1.2.5 The audit logs must capture at minimum the information to uniquely
identify the log for example by including a date, timestamp, source
addresses, destination addresses. Such arrangements should
facilitate forensic auditing, if need be.
2.1.2.6 An alert mechanism should be set to monitor any change in the log
settings.
2.1.2.7 In respect of CBS, vendor may provide assurance that the application
is free from embedded malicious / fraudulent code.
Ensure that software/application development practices adopt
principle of defence in-depth to provide layered security mechanism.
2.1.2.8 Data3 should be appropriately secured at rest as well as in transit (by
using methodologies for example encryption/hashing etc.)
2.1.2.9 UCBs should have a robust change management process in place to
record/ monitor all the changes that are moved/ pushed into production
environment. Changes to business applications, supporting
technology, service components and facilities should be managed
using robust configuration management processes that ensure
integrity of any changes thereto.

| Page 8 of 13
 2.1.2.10 UCBs are responsible for meeting the requirements prescribed for
incident management and BCP/DR even if their IT infrastructure,
systems, applications, etc., are managed by third party
vendors/service providers.

2.2 Additional security measures specific to CBS application:

a) CBS should facilitate Role Based Access Controls (RBAC).

b) Active Directory authentication must be enabled in the CBS.
c) All the passwords should be securely stored (for example – hashing,
salting etc.).
d) The password complexity should be enforced as per password policy of
the bank. Further, password should be mandatorily changed after first
login by the user. Also, the password should be mandatorily changed at
defined intervals.

3
The indicative data fields are KYC information, card related information.

| Page 9 of 13
e) CBS should allow only one active session for the user.
f) CBS should facilitate enabling time based administrative access to CBS
application.
g) UCBs (level IV, III and level II having digital payment services) may
consider implementing suitable tools/mechanism for ensuring time-based
access to CBS database for non-application users.
h) A method to assure the integrity of critical fields of the data (such as
account balance) in the CBS database should be maintained (for
example, implementing checksum).
i) Data in the critical fields should be appropriately masked for front-end
display through CBS application. (Display of the critical fields should only
be to the extent required)
j) CBS should have the facility to generate a list of all internal accounts
(active and inactive) at any point of time.

k) CBS should facilitate maintenance of user wise transaction limits, user

working time and holiday calendar.
l) All entries in CBS, irrespective of having any financial impact, should
include maker-checker controls.
m) Controls such as client IP validation, allowing connection to secured API
only should be configured for establishing trusted connections.
n) CBS should not be accessible using end of life/ support versions of web
browsers.
o) Comprehensive application security testing shall be done periodically and
also after any major change, for CBS application deployed at the bank.

| Page 10 of 13
2.3 Other security measures in CBS ecosystem:

a) Direct access to critical 'CBS' database should be restricted and wherever

allowed, should be closely monitored.
b) All API access should also be appropriately secured and logged.
c) Grant/revoke of user access to be managed by a centralized team.
d) Generic user ids shall be avoided and if any in use shall be identifiable
with the concerned officials.
e) Approved user role matrix for the CBS shall be defined.
f) Mechanism for real time monitoring of user account activities such as
biometric disabling, user account creation, modification, allocation of
profiles, privilege escalation, etc. shall be in place.
g) List of authorised users of CBS along with user privileges should be
readily available and the usage of the privileged accounts shall be
monitored closely. Review of the authorised users may be done
periodically. The user privileges shall be decided on "need to know/ need
to do" basis.

| Page 11 of 13
h) Access to CBS to be restricted to Bank’s intranet only. (Refer to para
2.1.1.4 for exceptions)
i) Only secured services (for e.g., HTTPS and SFTP) should be allowed for
CBS operations.
j) Risk assessment should be performed before using any open-source
technology element for developing the CBS application.
k) KYC document images should be made visible in CBS on need-to-know
basis.
l) Debit card data should not be stored in CBS database. In case it needs to
be saved, it should be encrypted/securely stored.
m) Real time performance monitoring tool for CBS application (memory and
CPU) shall be available with the bank for performance monitoring.
n) Audit logs of critical activities such as bypassing of biometric login/MFA,
user account profile change, allocation of highest privilege to users etc.
shall be enabled in CBS.
o) Secure configuration – the bank shall maintain hardening documents
approved at appropriate levels and accordingly the configurations shall
also be reviewed periodically.
p) Reconciliation of payment (RTGS/NEFT/IMPS etc.) messages shall be
undertaken frequently (preferably daily) by comparing the outward
payment with CBS confirmations (in case of doubt, confirmation from
respective branch etc. shall be taken).
q) Banks shall introduce an additional layer of approval for all payments
(RTGS/NEFT/IMPS etc.) exceeding a particular threshold, which can be
decided internally on the basis of business volumes and trends. Such
approval shall be preferably centralised.
r) Secure code and functional testing may be carried out after any major
change in CBS application.
s) There shall be a process to maintain and review list of exceptional
transactions (large value transactions, new beneficiaries etc.) carried out
during weekends and public holidays.

| Page 12 of 13
t) The bank shall have a detailed SLA with IT vendors with clear
demarcation of the roles and responsibilities.
u) Security and functional issues of interface between CBS and other critical
applications (treasury, RTGS, ATM Switch, SWIFT, Trade
Finance/Remittances) shall be reviewed and addressed holistically.
v) Total number of unsecured communication channel/APIs/interfaces
(those that do not preserve the confidentiality and integrity of
data/information in transit within the bank) shall be reviewed and closed
after conducting proper risk assessment.
w) The bank shall implement mechanism to suitably monitor and review the
CBS database access. In this regard, Level III and Level IV UCBs must
implement tool-based review mechanism for the monitoring of database
logs. The Level II UCBs offering digital payment services (like IMPS, UPI,
internet banking, mobile banking etc.) may also implement tool-based
review mechanism for the monitoring of database logs.
x) Manual Interventions in transaction processing may be avoided,
modification of Master Data (if done) shall be with proper documentation
with availability of Audit Trail. Any instances of deviations/exceptions shall
be recorded and reviewed.
y) The CBS application shall have a logout function (auto logout mechanism)
after a stipulated time of inactivity.
z) User IDs shall be unique for all users across entities.
aa) The configuration files shall be secured and only accessible on need-to-
know basis.
bb) CBS application as well as Mobile banking/Internet banking applications
should have provision for time-based and value/volume-based controls
for enforcing appropriate controls on transactions after business hours
based on their risk appetite etc., if required.
cc) UCBs to design and implement/modify the existing architecture to ensure
that applications like mobile banking, internet banking, etc. communicate
with CBS database through common interface of CBS application.

| Page 13 of 13