-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #269 from turbot/release/v0.45
Release/v0.45
- Loading branch information
Showing
32 changed files
with
830 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| ## Overview | ||
|
|
||
| # Overview of RBI ITF NBFC | ||
|
|
||
| The Reserve Bank of India (RBI) introduced the Information Technology Framework (ITF) for Non-Banking Financial Companies (NBFCs) to enhance the IT governance and risk management practices in the NBFC sector. This framework aims to ensure that NBFCs adopt robust IT systems and controls to mitigate risks and safeguard sensitive financial information. | ||
|
|
||
| ## Key Components of the RBI ITF for NBFCs | ||
|
|
||
| ### Governance and Strategy | ||
|
|
||
| - **IT Governance:** NBFCs must establish a formal IT governance framework that aligns with their overall corporate governance structure. This includes defining the roles and responsibilities of the board of directors, senior management, and IT function. | ||
| - **IT Strategy:** NBFCs should develop a comprehensive IT strategy that supports their business objectives and ensures the effective use of technology in delivering financial services. | ||
|
|
||
| ### Risk Management | ||
|
|
||
| - **IT Risk Management:** NBFCs must implement a robust IT risk management framework to identify, assess, and mitigate IT-related risks. This includes conducting regular risk assessments, implementing appropriate controls, and monitoring the effectiveness of these controls. | ||
| - **Business Continuity Planning (BCP):** NBFCs should have a well-defined BCP to ensure the continuity of critical operations in the event of a disruption. This includes developing disaster recovery plans and conducting regular testing of these plans. | ||
|
|
||
| ### Information Security | ||
|
|
||
| - **Data Protection:** NBFCs must implement strong data protection measures to safeguard sensitive customer information. This includes encryption, access controls, and regular security audits. | ||
| - **Incident Management:** NBFCs should have an incident management framework to detect, respond to, and recover from security incidents. This includes establishing an incident response team and maintaining an incident log. | ||
|
|
||
| ### IT Operations | ||
|
|
||
| - **IT Infrastructure:** NBFCs must maintain a reliable and scalable IT infrastructure to support their operations. This includes ensuring the availability, performance, and security of IT systems. | ||
| - **Change Management:** NBFCs should have a formal change management process to manage changes to IT systems and applications. This includes documenting changes, conducting impact assessments, and obtaining necessary approvals. | ||
|
|
||
| ### Compliance and Reporting | ||
|
|
||
| - **Regulatory Compliance:** NBFCs must ensure compliance with relevant regulations and guidelines issued by the RBI and other regulatory bodies. This includes maintaining up-to-date records and submitting required reports to the RBI. | ||
| - **Audit and Assurance:** NBFCs should conduct regular IT audits to assess the effectiveness of their IT controls and identify areas for improvement. This includes engaging external auditors to provide an independent assessment of IT systems and processes. | ||
|
|
||
| ## Benefits of Implementing RBI ITF for NBFCs | ||
|
|
||
| - **Enhanced Security:** Implementing the ITF helps NBFCs strengthen their information security practices and protect sensitive customer data. | ||
| - **Improved Risk Management:** A robust IT risk management framework enables NBFCs to proactively identify and mitigate IT-related risks. | ||
| - **Operational Resilience:** Business continuity planning and disaster recovery measures ensure that NBFCs can maintain critical operations during disruptions. | ||
| - **Regulatory Compliance:** Adhering to the ITF ensures that NBFCs comply with RBI regulations and guidelines, reducing the risk of regulatory penalties. | ||
| - **Increased Customer Trust:** Implementing strong IT governance and risk management practices enhances customer confidence in the NBFC's ability to safeguard their financial information. | ||
|
|
||
| By adhering to the RBI ITF, NBFCs can build a secure and resilient IT environment that supports their business objectives and ensures the protection of sensitive financial information. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| locals { | ||
| rbi_itf_nbfc_v2017_common_tags = merge(local.azure_compliance_common_tags, { | ||
| rbi_itf_nbfc_v2017 = "true" | ||
| type = "Benchmark" | ||
| }) | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017" { | ||
| title = "Reserve Bank of India - IT Framework for NBFC Regulatory Compliance" | ||
| documentation = file("./rbi_itf_nbfc_v2017/docs/rbi_itf_nbfc_v2017_overview.md") | ||
|
|
||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_business_continuity_planning, | ||
| benchmark.rbi_itf_nbfc_v2017_is_audit, | ||
| benchmark.rbi_itf_nbfc_v2017_it_governance, | ||
| benchmark.rbi_itf_nbfc_v2017_it_information_and_cyber_security, | ||
| benchmark.rbi_itf_nbfc_v2017_it_operations | ||
| ] | ||
|
|
||
| tags = local.rbi_itf_nbfc_v2017_common_tags | ||
| } |
56 changes: 56 additions & 0 deletions
56
rbi_itf_nbfc_v2017/rbi_itf_nbfc_business_continuity_planning.sp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| benchmark "rbi_itf_nbfc_v2017_business_continuity_planning" { | ||
| title = "Business Continuity Planning" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_business_continuity_planning_6 | ||
| ] | ||
|
|
||
| tags = local.rbi_itf_nbfc_v2017_common_tags | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_business_continuity_planning_6" { | ||
| title = "Business Continuity Planning (BCP) and Disaster Recovery-6" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_business_continuity_planning_6_2, | ||
| benchmark.rbi_itf_nbfc_v2017_business_continuity_planning_6_3, | ||
| benchmark.rbi_itf_nbfc_v2017_business_continuity_planning_6_4, | ||
| control.compute_vm_disaster_recovery_enabled, | ||
| control.mariadb_server_geo_redundant_backup_enabled, | ||
| control.mysql_db_server_geo_redundant_backup_enabled, | ||
| control.postgres_db_server_geo_redundant_backup_enabled, | ||
| control.recovery_service_vault_uses_private_link, | ||
| control.recovery_service_vault_uses_private_link_for_backup, | ||
| control.sql_database_long_term_geo_redundant_backup_enabled | ||
| ] | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_business_continuity_planning_6_2" { | ||
| title = "Recovery strategy / Contingency Plan-6.2" | ||
| children = [ | ||
| control.compute_vm_disaster_recovery_enabled, | ||
| control.mariadb_server_geo_redundant_backup_enabled, | ||
| control.mysql_db_server_geo_redundant_backup_enabled, | ||
| control.postgres_db_server_geo_redundant_backup_enabled, | ||
| control.recovery_service_vault_uses_private_link_for_backup, | ||
| control.sql_database_long_term_geo_redundant_backup_enabled | ||
| ] | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_business_continuity_planning_6_3" { | ||
| title = "Recovery strategy / Contingency Plan-6.3" | ||
| children = [ | ||
| control.mariadb_server_geo_redundant_backup_enabled, | ||
| control.mysql_db_server_geo_redundant_backup_enabled, | ||
| control.postgres_db_server_geo_redundant_backup_enabled, | ||
| control.recovery_service_vault_uses_private_link_for_backup, | ||
| control.sql_database_long_term_geo_redundant_backup_enabled | ||
| ] | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_business_continuity_planning_6_4" { | ||
| title = "Recovery strategy / Contingency Plan-6.4" | ||
| children = [ | ||
| control.compute_vm_disaster_recovery_enabled, | ||
| control.recovery_service_vault_uses_private_link, | ||
| control.recovery_service_vault_uses_private_link_for_backup | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| benchmark "rbi_itf_nbfc_v2017_is_audit" { | ||
| title = "IS Audit" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_is_audit_5 | ||
| ] | ||
|
|
||
| tags = local.rbi_itf_nbfc_v2017_common_tags | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_is_audit_5" { | ||
| title = "Policy for Information System Audit (IS Audit)-5" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_is_audit_5_2, | ||
| control.application_gateway_waf_enabled, | ||
| control.compute_vm_remote_access_restricted_all_ports, | ||
| control.compute_vm_tcp_udp_access_restricted_internet, | ||
| control.cosmosdb_account_with_firewall_rules, | ||
| control.frontdoor_waf_enabled, | ||
| control.network_interface_ip_forwarding_disabled, | ||
| control.network_security_group_subnet_associated, | ||
| control.network_sg_flowlog_enabled, | ||
| control.network_watcher_flow_log_enabled | ||
| ] | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_is_audit_5_2" { | ||
| title = "Policy for Information System Audit (IS Audit)-5.2" | ||
| children = [ | ||
| control.mariadb_server_geo_redundant_backup_enabled, | ||
| control.mysql_db_server_geo_redundant_backup_enabled, | ||
| control.postgres_db_server_geo_redundant_backup_enabled | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| benchmark "rbi_itf_nbfc_v2017_it_governance" { | ||
| title = "IT Governance" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_it_governance_1 | ||
| ] | ||
|
|
||
| tags = local.rbi_itf_nbfc_v2017_common_tags | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_it_governance_1" { | ||
| title = "IT Governance-1" | ||
| children = [ | ||
| benchmark.rbi_itf_nbfc_v2017_it_governance_1_1, | ||
| control.compute_vm_system_updates_installed, | ||
| control.compute_vm_vulnerability_assessment_solution_enabled, | ||
| control.kubernetes_cluster_upgraded_with_non_vulnerable_version, | ||
| control.mssql_managed_instance_vulnerability_assessment_enabled, | ||
| control.securitycenter_email_configured, | ||
| control.securitycenter_notify_alerts_configured, | ||
| control.securitycenter_security_alerts_to_owner_enabled, | ||
| control.sql_database_vulnerability_findings_resolved, | ||
| control.sql_server_and_databases_va_enabled | ||
| ] | ||
| } | ||
|
|
||
| benchmark "rbi_itf_nbfc_v2017_it_governance_1_1" { | ||
| title = "IT Governance-1.1" | ||
| children = [ | ||
| control.compute_vm_jit_access_protected, | ||
| control.network_interface_ip_forwarding_disabled, | ||
| control.network_security_group_remote_access_restricted | ||
| ] | ||
| } |
Oops, something went wrong.