- RBI's Cyber Security Framework for Banks has 8 broad control domains; this checklist maps each to specific monitoring controls
- Most BFSI customers miss the same three controls — privileged-access logging, DLP alert review evidence, and incident-response tabletop documentation
- Audit evidence requirements: what to keep, where, for how long, and which RBI inspector will ask for it
- Realistic implementation effort per control — from 1 day to 12 weeks
The RBI Cyber Security Framework for Banks (June 2016, updated guidance issued since) sets the baseline for Indian banks, NBFCs, payment system operators, and increasingly small finance banks and cooperative banks. This checklist maps each requirement to a specific implementation, the audit evidence inspectors look for, and realistic effort.
Domain 1: Cyber security policy
Requirement: Board-approved cyber-security policy with annual review.
What you need:
- Policy document signed by the board chair
- Last annual review minutes
- Acceptable Use Policy referenced by the cyber-policy (template: our IT AUP guide)
Audit evidence: board-meeting extract + signed policy version history.
Domain 2: Cyber security organisation
Requirement: Designated CISO reporting outside the IT function.
What you need:
- CISO appointment letter with reporting line to risk committee or CRO, not CIO
- CISO mandate document
- Segregation of duties between CISO function and IT operations
Domain 3: Inventory and classification
Requirement: Inventory of all IT assets with risk classification.
What you need:
- Asset register (servers, endpoints, applications, data stores)
- Data classification — Public, Internal, Confidential, Restricted at minimum
- Critical-asset list with owner and recovery objectives
Audit evidence: latest asset register export with timestamp. Inspectors will sample-check by asking for the classification of specific data stores.
Domain 4: Network security
Requirement: Network segmentation, firewall rule reviews, IDS/IPS coverage.
What you need:
- Network architecture diagram with security zones
- Firewall rule review log (quarterly review minimum)
- IDS/IPS alert handling SLA documentation
- VPN and remote-access controls for WFH workforce
Domain 5: Endpoint security
Requirement: EDR / endpoint protection, USB control, DLP, privileged-access controls.
This is the domain where monitoring tools intersect most. Specific requirements:
| Control | Implementation | Audit evidence |
|---|---|---|
| Endpoint malware protection | EDR on all endpoints | Coverage report ≥99% |
| USB device control | USB write block + whitelist + content inspection (see our USB control guide) | Device whitelist register; USB event logs (1 year) |
| Endpoint DLP | Rules for PAN, Aadhaar, account numbers, customer data (see our fintech DLP rules) | Alert log with disposition; tuning history |
| Activity monitoring | Screenshot, application, website monitoring with consent | Sample reports; consent registry |
| Privileged-access logging | All admin actions logged with immutable storage | 1-year audit log retention |
Domain 6: Application security
Requirement: Secure SDLC, vulnerability scanning, penetration testing.
What you need:
- Documented SDLC with security gates
- SAST/DAST scan reports for production applications
- Annual penetration test by an external firm
- Remediation tracking for findings
Domain 7: Incident response
Requirement: Documented incident response playbook with regular tabletop exercises.
What you need:
- Incident response playbook covering: detection, containment, eradication, recovery, lessons learned
- Tabletop exercise records (at least annual; quarterly for larger banks)
- Breach-notification timing aligned with both RBI and DPDP Act (72 hours)
- Forensic-evidence preservation procedures
Audit evidence: playbook version history + tabletop exercise minutes + any actual incident timelines.
Domain 8: Continuous monitoring and reporting
Requirement: SOC operating 24×7 (for larger banks) with documented alert-handling.
What you need:
- SOC operating hours documentation
- Alert categorisation (P1, P2, P3) with SLAs per category
- Monthly SOC report to CISO and quarterly to risk committee
- Cyber-incident reporting to RBI within 2-6 hours of detection per RBI advisory
The three commonly missed controls
Across 30+ RBI audits we have helped customers prepare for, three findings appear repeatedly:
- Privileged-access logging without immutable storage. Admin actions are logged but to a system the same admins can edit. RBI inspectors are increasingly explicit that logs must be immutable (write-once or append-only) for audit defensibility.
- DLP alerts without dispositions. Alerts fire, get acknowledged, no investigation record. Each alert needs: who reviewed, when, what they concluded, action taken. "Auto-closed" is not a disposition.
- Tabletop exercises that exist on paper only. Documenting "we did a tabletop in March" without attendee names, scenario script, and lessons-learned write-up is treated as no exercise at all.
Implementation effort estimates
For a mid-size bank or NBFC with 500-2,000 endpoints starting near zero:
| Control area | Realistic effort to ready state |
|---|---|
| Policy and governance | 4-6 weeks (legal review is the bottleneck) |
| Asset inventory and classification | 6-12 weeks (depending on starting hygiene) |
| Endpoint DLP and USB control | 4-8 weeks (vendor selection + deployment + tuning) |
| Network segmentation | 12-24 weeks (architecture-heavy) |
| Privileged access controls | 6-10 weeks (process + tool) |
| Incident response programme | 4-8 weeks (playbook + first tabletop) |
| SOC operations | 8-16 weeks (people + tooling + runbooks) |
Critical-path sequence: policy → asset inventory → endpoint controls → SOC → incident response. Network segmentation runs in parallel as a separate workstream.
FAQ
Does the framework apply to NBFCs?
Yes, with risk-tiered application. RBI has issued specific guidance for NBFC-MFIs, NBFC-IFCs, and HFCs. The principles are identical; the depth of implementation scales with the entity's size and systemic importance.
How does this overlap with DPDP Act compliance?
Significantly. The DPDP Act adds consent and rights workflows on top of the cyber-security controls. Most controls (encryption, access management, breach response) satisfy both frameworks. See our DPDP Act guide.
What is the typical first audit finding for banks newly deployed against this framework?
The two most common findings: (1) "DLP control exists but evidence of effectiveness is insufficient" — solve by keeping disposition records on every alert. (2) "Privileged-access logs lack immutability" — solve by sending logs to a write-once store (S3 Object Lock, dedicated SIEM bucket).
How does Headx help with this checklist?
Headx covers Domain 5 (endpoint security: DLP, USB control, activity monitoring, privileged-access logging) and contributes to Domain 8 (continuous monitoring via SOC integration). See our integrations page for SIEM forwarders.
Want to put this into practice?
Headx ships every capability mentioned in this post on every plan. Cloud (SaaS) at ₹1,900/PC/mo or On-Premise at ₹1,499/PC/mo. 30-day money-back guarantee.
Get Started