Major Points of IT Guidelines of Nepal Rastra Bank
- IT Governance
- Information Security
- Information Security Education
- Information Disclosure and grievance handling
- Outsourcing management
- IT Operations
- Information system acquisition, development and implementation
- Business continuity and disaster recovery planning
- IS Audit
- Fraud Management
IT has been adopted by most of the commercial banks to some degree from branch automation to providing alternate delivery is channel. This pervasive nature of IT has increased the challenges on governing it. Since IT is very critical in supporting and enabling business goals and is strategic for business growth, due diligence on its governance is essential. IT governance is a continuous process where IT strategy drives the process using necessary resources. In this context; NRB expects commercial banks to follow following guidelines.
- Bank should have a board approved IT related strategy and policy and IT policy should be reviewed at least annually. IT strategy can be long term and short term and long term strategy should be mapped to short term strategy periodically. There should be detail operational procedures and guidelines to manage all IT operations.
- Organizational structure for IT should be commensurate with the size, scale and nature of business activities carried out by the bank and may differ from bank to bank. Broadly the organization structure consists of Development, Technology, IT Operation and Information Assurance.
- Bank should asses the requirement of expertise to successfully complete required IT functions. A periods IT training requirement for IT personnel according to the IT functions of the bank should be assessed.
- Bank should have performance monitoring and measuring system of IT functions and it should be reported to appropriate level of management.
- IT related risk should also be considered in the risk management policy or operational risk policy of the bank and it should cover all e-banking activities and supplier activities as well. Periodic update of risk management is essential.
- Banks are encouraged to implementation international IT control frameworks such as COBIT as applicable to their IT environment.
- The board should be adequately aware of the IT resources of the bank and ensure that it is sufficient to meet the business requirement.
- Bank should designate a senior official of the bank as Information Security Office(ISO) who will be responsible for enforcing information security policy of the bank. ISO will also be responsible for coordinating and communicating security related issues within the organizations or with relevant external organization.
- Bank needs to carryout detail risk analysis before adopting new technology/system since it can potentially introduce new risk exposure. The new technology/system should be assessed as a part of product approval process which incorporates security related issues and regulatory requirements. The new technology/system should have fulfilled among other things, security related aspect, regulatory and legal aspects, employed industry standard controls or compensating controls and should be tested to ensure security issues of the technology.
- Bank should have process in place to identify and adequately address the legal risk arising from cyber law and electronic transaction related laws and acts of Nepal.
Next: Information Security