# RBI Cybersecuirty Framework

## RBI Cyber Security Framework for Banks:

In 2016, the Reserve Bank of India (RBI) introduced a Cybersecurity Framework to strengthen the security posture of banks operating in India. [Annex 1](https://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN1.pdf) of this framework outlines a minimum baseline for cybersecurity and resilience that banks must implement to safeguard their networks, systems, and customer data.

Endpoint Central provides a comprehensive suite of security and compliance solutions that help banks align with these regulatory requirements. From device management and access control to threat detection and incident response, Endpoint Central enables banks to enhance security, mitigate risks, and ensure regulatory compliance.

### How does Endpoint Central help?

| Requirement | Sl No | Requirement Description (in Annex 1) | How Endpoint Central fulfills it? |
|---|---|---|---|
| Inventory Management of Business IT Assets | 1.1 | Maintain an up-to-date inventory of Assets, including business data/information including customer data/information, business applications, supporting IT infrastructure and facilities — hardware/software/network devices, key personnel, services, etc. indicating their business criticality. The banks may have their own framework/criteria for identifying critical assets. | Obtain extensive hardware and software insights about laptops, desktops and mobile devices from Endpoint Central's [Inventory management](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/asset_management_setup.html) and reporting. Endpoint Central's [Custom Group](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html) feature allows the admins to logically segregate systems of their convenience so that they can manage and secure them effectively. By [integrating](https://www.manageengine.com/products/desktop-central/servicedesk-plus-integration.html) with our helpdesk solution-ServiceDesk Plus (SDP), devices criticality can be assigned. |
| Inventory Management of Business IT Assets | 1.2 | Classify data/information based on information classification/sensitivity criteria of the bank | Endpoint Central enables IT admins [discover and classify](https://www.manageengine.com/endpoint-dlp/data-classification.html) various types of structured as well as unstructured data using advanced mechanisms such as fingerprinting, RegEx, file extension based filter, and keyword search. |
| Inventory Management of Business IT Assets | 1.3 | Appropriately manage and provide protection within and outside organisation borders/network taking into consideration how the data/information are stored, transmitted, processed, accessed and put to use within/outside the bank’s network, and level of risk they are exposed to depending on the sensitivity of the data/information. | Endpoint Central uses [FIPS 140-2 compliant](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/fips-compliance.html) algorithms. Users can enable FIPS mode to run their IT on a highly secure environment. Endpoint Central leverages 256-bit Advanced Encryption Standard (AES) encryption protocols during remote troubleshooting operations. |
| Preventing execution of unauthorised software | 2.1 | Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing allowlisting of authorised applications / software/libraries, etc | Admins can [prohibit users](https://www.manageengine.com/products/desktop-central/help/inventory/configure_prohibited_software.html) from installing unnecessary software and can create list of software which are [allowed/ blocked](https://www.manageengine.com/application-control/allowlisting-vs-blocklisting.html) in their IT environment. |
| Preventing execution of unauthorised software | 2.2 | Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems. | Endpoint Central's [software deployment](https://www.manageengine.com/products/desktop-central/software-installation.html) feature can be leveraged to install/uninstall software applications from a central console. Endpoint Central also has a [Self-Service Portal](https://www.manageengine.com/products/desktop-central/help/software_installation/self_service_portal.html), where end-users can directly download the software applications provisioned to them by the IT administrators. With its Application Control module, admins can allowlist or blocklist software applications. Additionally, [prohibit software](https://www.manageengine.com/products/desktop-central/help/inventory/configure_prohibited_software.html) can stop unnecessary software from getting installed in the network. For mobile devices, admins can leverage MDM capability for [blocklisting applications](https://www.manageengine.com/mobile-device-management/help/app_management/mdm_app_blacklist.html). |
| Preventing execution of unauthorised software | 2.3 | Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process. | All the patch information are collected from vendor sites and is fed into the patch database after a thorough analysis and this patch database is then synchronized with the Endpoint Central server. By using [automated patch deployment](https://www.manageengine.com/patch-management/help/automate-patch-deployment-task.html) feature, A to Z of patch management process is automated—from synchronizing the vulnerability database, scanning all machines in the network to detect missing patches, deploying the missing patches and also providing periodic updates on patch deployment status. Using this feature, zero day vulnerabilities can also be patched. Automatically test and approve patches in a test bed before rolling them out to business critical environments. |
| Preventing execution of unauthorised software | 2.4 | Have a clearly defined framework including requirements justifying the exception(s), duration of exception(s), process of granting exceptions, and authority for approving, authority for review of exceptions granted on a periodic basis by officer(s) preferably at senior levels who are well equipped to understand the business and technical context of the exception(s) | Endpoint Central leverages the principle of least privilege and offers robust [endpoint privilege management](https://www.manageengine.com/application-control/endpoint-privilege-management.html) capability, enabling application-specific privilege control and [just-in-time access](https://www.manageengine.com/products/desktop-central/help/jit-access.html). With its Application Control module, admins can [allowlist or blocklist software applications](https://www.manageengine.com/application-control/allowlisting-vs-blocklisting.html). Additionally, [prohibit software](https://www.manageengine.com/products/desktop-central/help/inventory/configure_prohibited_software.html) can stop unnecessary software from getting installed in the network. |
| Network Management and Security | 4.2 | Maintain an up-to-date/centralised inventory of authorised devices connected to bank’s network (within/outside bank’s premises) and authorised devices enabling the bank’s network. The bank may consider implementing solutions to automate network discovery and management. | Obtain extensive hardware and software insights about laptops, desktops and mobile devices from Endpoint Central's Inventory management and reporting. |
| Network Management and Security | 4.3 | Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security. | Endpoint Central helps admins to [configure Windows Firewall](https://www.manageengine.com/products/desktop-central/help/computer_configuration/configuring_windows_xp_firewall.html). SecOps can perform a [port audit](https://www.manageengine.com/vulnerability-management/audit-ports-in-use.html) to reduce attack surface. Endpoint Central enables secure browsing by enforcing [threat protection configurations](https://www.manageengine.com/browser-security/help/threat-prevention-browser-configurations.html). It can [restrict downloads](https://www.manageengine.com/browser-security/download-restriction.html) from malicious websites and supports [hardening web servers](https://www.manageengine.com/vulnerability-management/help/how-to-harden-and-secure-web-servers.html) and fixing [security misconfigurations](https://www.manageengine.com/vulnerability-management/misconfiguration/). |
| Network Management and Security | 4.5 | Have mechanisms to identify authorised hardware / mobile devices like Laptops, mobile phones, tablets, etc. and ensure that they are provided connectivity only when they meet the security requirements prescribed by the bank. | Endpoint Central's [system quarantine policy](https://www.manageengine.com/products/desktop-central/help/vulnerability-remediation/quarantine-compliance.html) helps organizations proactively manage system compliance, reduce vulnerabilities, and enhance overall security posture. |
| Network Management and Security | 4.6 | Have mechanism to automatically identify unauthorised device connections to the bank’s network and block such connections. | Endpoint Central's [Conditional Access policies](https://www.manageengine.com/mobile-device-management/help/profile_management/mdm_conditional_access.html) prevent unauthorized access. It also leverages [Certificate based Authentications](https://www.manageengine.com/mobile-device-management/help/profile_management/windows/mdm_windows_scep.html#config). |
| Network Management and Security | 4.7 | Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints. | Endpoint Central can [alert](https://www.manageengine.com/products/desktop-central/help/inventory/configure_email_alerts_for_inventory.html) IT admins about suspicious activities such as hardware changes, software installations/uninstallations, prohibited software installations, disk space issues, and software usage after license expiry. |
| Secure Configuration | 5.1 | Document and apply baseline security requirements/configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically. | Endpoint Central provides [configuration](https://www.manageengine.com/products/desktop-central/help/configurations.html) (or [Profiles](https://www.manageengine.com/mobile-device-management/help/profile_management/mdm_profile_management.html) for mobile devices) for security policies. Customizable [firewall rules](https://www.manageengine.com/products/desktop-central/help/computer_configuration/configuring_windows_xp_firewall.html) are supported. Patch management covers major OSs, drivers, and over [850 third party applications](https://www.manageengine.com/patch-management/third-party-applications-patch-management.html). [Geo-tracking](https://www.manageengine.com/mobile-device-management/help/security_management/location_tracking.html) helps locate lost devices. Device lockdown and Browser Security features protect enterprise data from phishing, credential theft, and data leakage. |
| Secure Configuration | 5.2 | Periodically evaluate critical device (such as firewall, network switches, security devices, etc.) configurations and patch levels for all systems in the bank’s network including in Data Centres, in third party hosted sites, shared-infrastructure locations | Endpoint Central periodically scans network assets to determine vulnerable systems and applications, firewall status, antivirus status, and FileVault/BitLocker status. Scan frequency can be configured. |
| Application Security Life Cycle (ASLC) | 6.8 | Consider implementing measures such as installing containerized apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications; measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered. | Containerization of corporate data can be achieved using Endpoint Central, with the ability to prevent clipboard access. Policies and grouping based on device ownership (BYOD and COPE) can be configured. Ability to perform [corporate wipe](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html#wipe) for BYOD and complete wipe for corporate-owned devices during de-enrollment is supported. Geo-fencing enables access management. |
| Patch/Vulnerability and Change Management | 7.1 | Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure. | Endpoint Central's patch management supports Windows, Mac, Linux, and over [850 third party applications](https://www.manageengine.com/patch-management/supported-applications.html), including driver updates. It performs periodic scanning to identify vulnerable systems and applications. The Automate Patch Deployment feature enables automatic patching with customizable deployment policies. |
| Patch/Vulnerability and Change Management | 7.2 | Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/Middleware, etc. | Endpoint Central's patch management supports Windows, Mac, Linux, and over [850 third party applications](https://www.manageengine.com/patch-management/supported-applications.html), including driver updates. It performs periodic scanning to identify vulnerable systems and applications. The Automate Patch Deployment feature enables automatic patching with customizable deployment policies. |
| Patch/Vulnerability and Change Management | 7.3 | Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto | Endpoint Central's pre-built Configurations and Collections support configuration baselining. Newly enrolled devices are automatically baselined based on their OU/group. Baselining can be enforced at every startup. |
| Patch/Vulnerability and Change Management | 7.6 | As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities. | Endpoint Central helps patch Windows, Linux, Mac servers, 850+ third-party applications, BIOS, and hardware drivers. |
| User Access Control / Management | 8.1 | Provide secure access to the bank’s assets/services from within/outside bank’s network by protecting data/information at rest (e.g. using encryption, if supported by the device) and in-transit (e.g. using technologies such as VPN or other secure web protocols, etc.) | Endpoint Central enables encryption management through [BitLocker](https://www.manageengine.com/products/desktop-central/bitlocker-management.html) for Windows and FileVault for Mac devices. |
| User Access Control / Management | 8.3 | Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process. | Endpoint Central provides [Conditional Access policies](https://www.manageengine.com/mobile-device-management/help/profile_management/mdm_conditional_access.html), [endpoint privilege management](https://www.manageengine.com/application-control/endpoint-privilege-management.html), and [just-in-time access](https://www.manageengine.com/products/desktop-central/help/jit-access.html). |
| User Access Control / Management | 8.6 | Implement controls to minimize invalid logon counts, deactivate dormant accounts. | Endpoint Central provides AD user reports including unused, inactive, disabled, and expired accounts. It also offers [user logon reports](https://www.manageengine.com/products/desktop-central/help/reports/user_logon_tracking_reports.html) to monitor logon history. |
| User Access Control / Management | 8.7 | Monitor any abnormal change in pattern of logon. | Endpoint Central provides AD user reports including unused, inactive, disabled, and expired accounts. It also offers [user logon reports](https://www.manageengine.com/products/desktop-central/help/reports/user_logon_tracking_reports.html) to monitor logon history. |
| User Access Control / Management | 8.8 | Implement measures to control installation of software on PCs/laptops, etc. | Dedicated software management module to install/uninstall software is available. Admins can define allowed/blocked software. Prohibited software can be automatically uninstalled. Untrusted or unknown executables can be blocked using the Block Executable feature. |
| User Access Control / Management | 8.9 | Implement controls for remote management/wiping/locking of mobile devices including laptops, etc. | Remote administration, remote lock, and wipe of mobile devices can be achieved using Endpoint Central. |
| User Access Control / Management | 8.10 | Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems. | Endpoint Central uses custom script configuration to disable macros where not required. It also offers [DLP for Outlook](https://www.manageengine.com/endpoint-dlp/email-security-and-outlook.html) to prevent data leakage via email. |
| Removable Media | 12.1 | Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use. | Endpoint Central's [Secure USB](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html) allows administrators to restrict or allow USB usage at computer or user level. The [Device Control](https://www.manageengine.com/products/desktop-central/help/device-control/create-dc-policy.html) module enables trusted device policies. The [Next-Gen Antivirus](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) scans peripheral devices upon access. USB usage can be blocked by default with flexible exceptions. |
| Removable Media | 12.2 | Limit media types and information that could be transferred/copied to/from such devices. | Endpoint Central's [Secure USB](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html) allows administrators to restrict or allow USB usage at computer or user level. The [Device Control](https://www.manageengine.com/products/desktop-central/help/device-control/create-dc-policy.html) module enables trusted device policies. The [Next-Gen Antivirus](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) scans peripheral devices upon access. USB usage can be blocked by default with flexible exceptions. |
| Removable Media | 12.3 | Get the removable media scanned for malware/anti-virus prior to providing read/write access. | Endpoint Central's [Secure USB](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html) allows administrators to restrict or allow USB usage at computer or user level. The [Device Control](https://www.manageengine.com/products/desktop-central/help/device-control/create-dc-policy.html) module enables trusted device policies. The [Next-Gen Antivirus](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) scans peripheral devices upon access. USB usage can be blocked by default with flexible exceptions. |
| Removable Media | 12.4 | Consider implementing centralized policies through Active Directory or Endpoint management systems to whitelist/blacklist/restrict removable media use. | Endpoint Central's [Secure USB](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html) allows administrators to restrict or allow USB usage at computer or user level. The [Device Control](https://www.manageengine.com/products/desktop-central/help/device-control/create-dc-policy.html) module enables trusted device policies. The [Next-Gen Antivirus](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) scans peripheral devices upon access. USB usage can be blocked by default with flexible exceptions. |
| Removable Media | 12.5 | As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorized for defined use and duration of use. | Endpoint Central's [Secure USB](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html) allows administrators to restrict or allow USB usage at computer or user level. The [Device Control](https://www.manageengine.com/products/desktop-central/help/device-control/create-dc-policy.html) module enables trusted device policies. The [Next-Gen Antivirus](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) scans peripheral devices upon access. USB usage can be blocked by default with flexible exceptions. |
| Advanced Real-time Threat Defence and Management | 13.2 | Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices; endpoints, servers, gateways, wireless networks, SMS servers etc., including tools and processes for centralised management and monitoring. | Endpoint Central includes a built-in [next gen antivirus engine](https://www.manageengine.com/products/desktop-central/help/edr/next-gen-antivirus.html) with AI-assisted real-time detection and deep learning. It performs incident forensics, quarantines suspicious endpoints, and provides instant, non-erasable backups using Microsoft's volume shadow copy service. Infected files can be restored from recent backups. |
| Advanced Real-time Threat Defence and Management | 13.3 | Consider implementing whitelisting of internet websites/systems. | Using Browser Security Plus addon, IT admins can implement URL whitelisting and blacklisting. |
| Data Leak prevention strategy | 15.1 | Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential) business and customer data/information. | Endpoint Central offers [advanced data leakage prevention capabilities](https://www.manageengine.com/endpoint-dlp/), enabling detection and classification of PII. It controls data transfers via cloud services and peripheral devices, supports trusted device lists, file tracing, and file shadowing for sensitive data. |
| Data Leak prevention strategy | 15.2 | Protect data processed in endpoint devices, in transmission, and stored in servers and digital stores, whether online or offline. | Endpoint Central offers [advanced data leakage prevention capabilities](https://www.manageengine.com/endpoint-dlp/), enabling detection and classification of PII. It controls data transfers via cloud services and peripheral devices, supports trusted device lists, file tracing, and file shadowing for sensitive data. |
| Audit Log settings | 17.1 | Implement and periodically validate settings for capturing appropriate logs/audit trails of each device, system software and application software, ensuring logs include minimum information such as date, timestamp, source and destination addresses, and other useful elements. | Hardware and software changes are logged with timestamp, date, USB device name, and username for audit purposes. Alerts can also be sent via email for immediate action. |
| Incident Response & Management | 19.4 | Bank’s BCP/DR capabilities shall support cyber resilience objectives and enable rapid recovery from cyber-attacks while ensuring security of processes and data. | Endpoint Central provides [instant, non-erasable backup](https://www.manageengine.com/products/desktop-central/anti-ransomware.html) every three hours using Microsoft's volume shadow copy service. Infected files can be restored from the most recent backup. |
| Metrics | 21.2 | Illustrative metrics include anti-malware coverage and update percentage, patch latency, user awareness training, vulnerability metrics, etc. | Endpoint Central provides comprehensive, interactive insights and reports to analyze device data, track critical updates, installation statuses, failed updates, vulnerability database updates, and more. |