RBI Cybersecuirty Framework

Inventory Management of Business IT Assets

1.1

Maintain an up-to-date inventory of Assets, including business data/information including customer data/information, business applications, supporting IT
infrastructure and facilities – hardware/software/network devices, key personnel, services, etc. indicating their business criticality. The banks may have their own framework/criteria for identifying critical assets.

Obtain extensive hardware and software insights about laptops, desktops and mobile devices from Endpoint Central's Inventory management and reporting.

Endpoint Central's Custom Group feature allows the admins to logically segregate systems of their convenience so that they can manage and secure them effectively.

By integrating with our helpdesk solution-ServiceDesk Plus (SDP), devices criticality can be assigned.

1.2

Classify data/information based on information classification/sensitivity criteria of the bank

Endpoint Central enables IT admins discover and classify various types of structured as well as unstructured data using advanced mechanisms such as fingerprinting, RegEx, file extension based filter, and keyword search.

1.3

Appropriately manage and provide protection within and outside organisation borders/network taking into consideration how the data/information are stored, transmitted, processed, accessed and put to use within/outside the bank’s network, and level of risk they are exposed to depending on the sensitivity of the data/information.

Endpoint Central uses FIPS 140-2 compliant algorithms. Users can enable FIPS mode to run their IT on a highly secure environment.
Endpoint Central leverages 256-bit Advanced Encryption Standard (AES) encryption protocols during remote troubleshooting operations.

Preventing execution of unauthorised software

 2.1

Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing allowlisting of authorised applications / software/libraries, etc

Admins can prohibit users from installing unnecessary software and can create list of software which are allowed/ blocked in their IT environment.

 2.2

Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems.

Endpoint Central's software deployment feature can be leveraged to install/uninstall software applications from a central console. 

Endpoint Central also has a Self-Service Portal, where end-users can directly download the software applications provisioned to them by the IT administrators. 

With its Application Control module, admins can allowlist or blocklist software applications.

Additionally, prohibit software can stop unnecessary software from getting installed in the network.

For mobile devices, admins can leverage our MDM capability for blocklisting applications.  

 2.3

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process.

All the patch information are collected from vendor sites and is fed into the patch database after a thorough analysis and this patch database is then synchronized with the Endpoint Central server.

By using automated patch deployment feature, A to Z of patch management process is automated- from synchronizing the vulnerability database, scanning all machines in the network to detect missing patches, deploying the missing patches and also providing periodic updates on patch deployment status. Using this feature, zero day vulnerabilities can also be patched. Automatically test and approve patches in a test bed before rolling them out to business critical environments.

 2.4

Have a clearly defined framework including requirements justifying the exception(s), duration of exception(s), process of granting exceptions, and authority for approving, authority for review of exceptions granted on a periodic basis by officer(s) preferably at senior levels who are well equipped to understand the business and technical context of the exception(s)

Endpoint Central leverages the principle of least privilege and offers robust endpoint privilege management capability, enabling application-specific privilege control and just-in-time access.  With its Application Control module, admins can allowlist or blocklist software applications. Additionaly, prohibit software can stop unnecessary software from getting installed in the network.

Network Management and Security

4.2

Maintain an up-to-date/centralised inventory of authorised devices connected to bank’s network (within/outside bank’s premises) and authorised devices enabling the bank’s network. The bank may consider implementing solutions to automate network discovery and management.

Obtain extensive hardware and software insights about laptops, desktops and mobile devices can be obtained  from Endpoint Central's Inventory management and reporting.

4.3

Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security.

Endpoint Central comes handy for admins to configure Windows Firewall for the end-users.

SecOps can do a port audit in their environment and reduce their attack surface to a great extent, in case of zero-day exploit.

Endpoint Central enables secure browsing by enabling admins to enforce extensive threat protection configurations.

Block / Restrict your end users from downloading files (which might contain malware) from malicious websites or perhaps, accessing them.

It also has provisions for hardening web servers and fixing security misconfigurations.

4.5

Have mechanisms to identify authorised hardware / mobile devices like Laptops, mobile phones, tablets, etc. and ensure that they are provided connectivity only when they meet the security requirements prescribed by the bank.

Endpoint Central's system quarantine policy helps organizations proactively manage system compliance, reduce vulnerabilities, and enhance overall security posture.

4.6

Have mechanism to automatically identify unauthorised device connections to the bank’s network and block such connections.

Endpoint Central's Conditional Access policies also prevent unauthorized access into the organization's devices and its applications. Endpoint Central also leverages Certificate based Authentications

4.7

Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.

Endpoint Central can alert IT admins team in the event of any suspicious movement taking place inside the managed IT network - such as Hardware Changes, Software installations and uninstallations, prohibited software installations, alerting admins about end-users disk space, software usage after license expiry, and more.

Secure Configuration

 5.1

Document and apply baseline security requirements/configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically,

Endpoint Central provides a dedicated configuration (or Profiles for Mobile devices) for security policies employable organisation wide or only for select endpoints/users. Customisability of firewall rules is also offered. Patch management is covered by Endpoint Central for all major OSs, drivers and over 850 third party applications to rectify vulnerable applications or OSs.

Geo-tracking can help in locating lost devices and thereby prevent data loss.

Device lockdown functionality can be achieved with Endpoint Central. 

Browser Security helps in preventing browser based threats and protecting enterprise data from credential thefts, phishing attacks and accidental data leakage.

 5.2

Periodically evaluate critical device (such as firewall, network switches, security devices, etc.) configurations and patch levels for all systems in the bank’s network including in Data Centres, in third party hosted sites, shared-infrastructure locations

Endpoint Central periodically scans the assets in the network to determine the vulnerable systems and applications, firewall status, antivirus status and FileVault/Bitlocker status. Scan frequency can be configured.

Application Security Life Cycle (ASLC)

 6.8

Consider implementing measures such as installing a “containerized” apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications; measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered.

Containerization of corporate data can be achieved using Endpoint Central, with ability to prevent clipboard access.

Policies, restrictions and grouping based on device ownership (BYOD and COPE) can be configured.

Ability to perform corporate wipe for Bring Your Own Devices and complete wipe for Corporate Owned, Personally Enabled devices during de-enrollment is possible.

Geo-fencing abilities hosted by Endpoint Central empowers the organisation to implement access management.

Patch/Vulnerability and Change Management

 7.1

Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure.

Endpoint Central's patch management helps in deploying patches across every major device operating systems-Windows, Mac, Linux and over 850 third party applications. The patching solution also includes driver updates for various components.

Periodic scanning the IT assets in the network to identify vulnerable systems and applications.

Endpoint Central's Automate Patch Deployment (APD) feature provides system administrators the power to deploy missing patches automatically.

Dedicated deployment policies can be configured for all types of devices with the ability to turn on devices for applying patches during non-productive hours, to prevent reboot during business hours or for mission critical devices like servers and to shut down after patching/update.

 7.2

Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/Middleware, etc.

 7.3

Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto

Endpoint Central's pre-built Configurations and Collections can be used for configuration baselining of IT assets.

New devices enrolled are automatically baselined according on the OU/group it is placed under.

Configuration baselining can be forced during every startup to ensure greater security using Endpoint Central.

 7.6

As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities.

Endpoint Central can help patching Windows, Linux, Mac Servers, 850+ third-party applications,  BIOS and hardware drivers

User Access Control / Management

 8.1

Provide secure access to the bank’s assets/services from within/outside bank’s network by protecting data/information at rest (e.g. using encryption, if supported by the device) and in-transit (e.g. using technologies such as VPN or other secure web protocols, etc.)

Endpoint Central enables administrators to encrypt end-users' devices by managing BitLocker for Windows systems and FileVault for Mac devices.

 8.3

Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process.

To ensure that only authorized users/devices that comply to specific conditions can access resources, Endpoint Central has Conditional Access policies.

Endpoint Central leverages the principle of least privilege and has a robust endpoint privilege management capability, providing for application specific privilege management and just-in-time access

 8.6

Implement controls to minimize invalid logon counts, deactivate dormant accounts.

Endpoint Central provides comprehensive reports on AD users which includes unused user accounts, inactive user accounts, disabled user accounts, expired user accounts, password expired user accounts by which Dormant accounts in network can be identified.

Endpoint Central provides out-of-the-box user logon reports to monitor user logon history.

 8.7

Monitor any abnormal change in pattern of logon.

 8.8

Implement measures to control installation of software on PCs/laptops, etc.

Dedicated software management module to install/uninstall software is available.  Admins also can create list of software which are allowed/ blocked in their IT environment. Leveraging Prohibit Software feature, admins can 

Software can be prohibited in the network and such prohibited software can be uninstalled automtically from devices. 

Untrusted/Unknown executbles can be blocked using the Block Executable feature in Endpoint Central.

 8.9

Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.

Remote administration, remote lock and wipe of mobile devices can be achieved using Endpoint Central.

8.10

Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems.

Endpoint Central leverages custom script configuration feature to ensure that macros are disabled for users who do not have business requirement. To prevent data leakage via email, we have DLP for Outlook. 

Removable Media

12.1

Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including but not limited to workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use.

Endpoint Central's Secure USB feature allows network administrators to selectively limit the scope of USB instance usage by restricting or allowing full use. The ability to set the restriction either at the computer level or at the user level helps muster security with the flexibility to create and apply policies for USB access based on employee roles and departments. Leveraging its Device Control module, admins can create trusted devices so that only those devices can be allowed for full-use. Endpoint Central's Next-Gen Antivirus scans the peripheral devices as soon as the user begins to access them. USB instances can be set to be blocked by default in the entire network, restriction can be revoked at user or device level, providing flexibilty on USB usage permission.

12.2

Limit media types and information that could be transferred/copied to/from such devices.

12.3

Get the removable media scanned for malware/anti-virus prior to providing read/write access.

12.4

Consider implementing centralized policies through Active Directory or Endpoint management systems to whitelist/blacklist/restrict removable media use.

12.5

As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorized for defined use and duration of use.

Advanced Real-time Threat Defence and Management

13.2

Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices ; (Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring.

Endpoint Central has a built-in next gen antivirus engine that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.

Apart from real-time threat detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats.

If the next gen antivirus engine detects a suspicious behavior in endpoints, it can quarantine those endpoints and, after a thorough forensic analysis, can be deployed back into production.

Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service.

If a file is infected with ransomware, it can be restored with the most recent backup copy of the file.

13.3

Consider implementing whitelisting of internet websites/systems.

Using Browser Security Plus addon, IT admins can achieve whitelisting and blacklisting of URLs.

Data Leak prevention strategy

15.1

Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential) business and customer data/information.

Endpoint Central offers advanced data leakage prevention capabilities, enabling the detection and classification of personally identifiable information (PII). It provides complete control over data flow within your IT environment by allowing administrators to configure policies for data transfers through cloud services and peripheral devices.
Also its peripheral device management capabilities allows you to block/ restrict external storage devices and can enable your admin create a list of trusted devices your end users can use in their endpoints. It can help implement file tracing to track sensitive files, especially when you move them to external devices. You can also perform file shadowing operations for sensitive data whenever you copy or modify them in peripheral devices.

15.2

This shall include protecting data processed in end point devices, data in transmission, as well as data stored in servers and other digital stores, whether online or offline.

Audit Log settings

 17.1

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software, ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction.

Hardware and software added/removed are logged along with the timestamp, date, USB devices name and username for audit purposes. Additionally, these changes can also be alerted to the concerned authority as an e-email message for immediate redressal, in case of contingencies.

Incident Response & Management

19.4

Bank’s BCP/DR capabilities shall adequately and effectively support the Bank’s cyber resilience objectives and should be so designed to enable the bank to recover rapidly from cyber-attacks/other incidents and safely resume critical operations aligned with recovery time objectives while ensuring security of processes and data is protected.

Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service.

If a file is infected with ransomware, it can be restored with the most recent backup copy of the file.

Metrics

 21.2

Some illustrative metrics include coverage of anti-malware software and their updation percentage, patch latency, extent of user awareness training, vulnerability related metrics, etc.

Endpoint Central provides comprehensive, interactive insights and infographics which can be used to comb through vast amount of device data to identify and address vulnerabilities. Additionally, there are reports that help delve into critical updates, install statuses, failed updates, vulnerability database updates and more.