RBI Compliance

The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of RBI compliance.

RBI Cyber Security Framework for Banks:

The Reserve Bank of India has its own set of Cyber laws. It was a direct consequence of low entry barriers, constantly evolving nature, resourcefulness, ever-increasing velocity and scale of attacks. It is mandatory that all banks abide by the stringencies put forth by the central bank to operate in India. Endpoint Central can help in adhering to the guidelines put forth to robustify the security and resilience. Here is how:

How does Endpoint Central help?

Requirement Sl No Requirement Description How Endpoint Central fulfills it?
Inventory Management of Business IT Assets  1.1

Maintain an up-to-date inventory of Assets, including business data/information
including customer data/information, business applications, supporting IT
infrastructure and facilities – hardware/software/network devices, key personnel,
services, etc. indicating their business criticality. The banks may have their own
framework/criteria for identifying critical assets.

Obtain extensive hardware and software insights about laptops, desktops and mobile devices from Endpoint Central's Inventory management and reporting.

By integrating with helpdesk solution-ServiceDesk Plus (SDP), devices criticality can be assigned.

Preventing execution of unauthorised software  2.1

Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc

Software inventory in Endpoint Central provides application control by prohibiting of unwanted/malicious software.

 2.2

Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems.

Endpoint Central's software management and Self Service Portal feature can be leveraged to acheive installation/uninstallation from a central console.

Additionally, block executable and prohibit software can stop unnecessary software from getting installed in the network.

 2.3

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process.

All the patch information are collected from vendor sites and is fed into the patch database after a thorough analysis and this patch database is then synchronized with the Endpoint Central server.

By using automated patch management feature, A to Z of patch management process is automated- from synchronizing the vulnerability database, scanning all machines in the network to detect missing patches, deploying the missing patches and also providing periodic updates on patch deployment status. Using this feature, zero day vulnerabilities can also be patched. Automatically test and approve patches in a test bed before rolling them out to business critical environments.

 2.4

Have a clearly defined framework including requirements justifying the exception(s), duration of exception(s), process of granting exceptions, and authority for approving, authority for review of exceptions granted on a periodic basis by officer(s) preferably at senior levels who are well equipped to understand the business and technical context of the exception(s)

Endpoint Central provides the ability to prohobit software from the entire network. Global exclusion can also be configured for specific group of users or application wise exclusions can also be configured.

Block executable can be applied to select group of users or assets.

Secure Configuration  5.1

Document and apply baseline security requirements/configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically,

Endpoint Central provides a dedicated configuration for security policies employable organisation wide or only for select endpoints/users. Customisability of firewall rules is also offered. Patch management is covered by Endpoint Central for all major OSs, drivers and over 250 third party applications to rectify vulnerable applications or OSs, plays a major role in device security.

Geo-tracking can help in locating lost devices and thereby prevent data loss.

Device lockdown functionality can be achieved with Endpoint Central. Additonal security policies are also available for MDM. 

Browser Security Plus addon helps in preventing browser based threats and protecting enterprise data from credential thefts, phishing attacks and accidental data leakage.

 5.2

Periodically evaluate critical device (such as firewall, network switches, security devices, etc.) configurations and patch levels for all systems in the bank’s network including in Data Centres, in third party hosted sites, shared-infrastructure locations

Endpoint Central periodically scans the assets in the network to determine the vulnerable systems and applications, firewall status, antivirus status and FileVault/Bitlocker status. Scan frequency can be configured.

Application Security Life Cycle (ASLC)  6.8

Consider implementing measures such as installing a “containerized” apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications; measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered.

Containerization of corporate data can be achieved using Endpoint Central, with ability to prevent clipboard access.

Policies, restrictions and grouping based on device ownership (BYOD and COPE) can be configured.

Ability to perform corporate wipe for Bring Your Own Devices and complete wipe for Corporate Owned, Personally Enabled devices during de-enrollment is possible.

Geo-fencing abilities hosted by Endpoint Central empowers the organisation to implement access management.

Patch/Vulnerability and Change Management  7.1

Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure.

Endpoint Central's patch management helps in deploying patches across every major device operating systems-Windows, Mac, Linux and over 250 third party applications. The patching solution also includes driver updates for various components.

Periodic scanning the IT assets in the network to identify vulnerable systems and applications.

Endpoint Central's Automate Patch Deployment (APD) feature provides system administrators the power to deploy missing patches automatically.

Dedicated deployment policies can be configured for all types of devices with the ability to turn on devices for applying patches during non-productive hours, to prevent reboot during business hours or for mission critical devices like servers and to shut down after patching/update.

 7.2

Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/Middleware, etc.

 7.3

Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto

Endpoint Central's pre-built Configurations and Collections can be used for configuration baselining of IT assets.

New devices enrolled are automatically baselined according on the OU/group it is placed under.

Configuration baselining can be forced during every startup to ensure greater security using Endpoint Central.

User Access Control / Management 8.1

Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems.

Over 200 custom scripts are present in Endpoint Central's script library, which can be used for a plehotra of customisation and security activities including controlling the use of VBA/Macros in office documents

 8.3

Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process.

User groups can be managed by using Endpoint Central to add or remove domain and local users (new and existing) from local administrative privilege groups. Local administrator accounts can also be deactivated using features in Endpoint Central.

Endpoint Central's exhaustive permission management feature empowers users to allow/restrict files/folders/registry access to specific users or groups.

 8.6

Implement controls to minimize invalid logon counts, deactivate dormant accounts.

Endpoint Central provides comprehensive reports on AD users which includes unused user accounts, inactive user accounts, disabled user accounts, expired user accounts, password expired user accounts by which Dormant accounts in network can be identified.

Endpoint Central provides out-of-the-box user logon reports to monitor user logon history.

 8.7

Monitor any abnormal change in pattern of logon.

 8.8

Implement measures to control installation of software on PCs/laptops, etc.

Dedicated software management module to install/uninstall software is available.

Software can be prohibited in the network and such prohibited software can be uninstalled automtically from devices.

Untrusted/Unknown executbles can be blocked using the Block Executable feature in Endpoint Central.

 8.9

Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.

Remote administration, remote lock and wipe of mobile devices can be achieved using Endpoint Central.

Removable Media  12.1

Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including but not limited to workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use.

Endpoint Central's Secure USB feature allows network administrators to selectively limit the scope of USB instance usage by restricting or allowing full use. The ability to set the restriction either at the computer level or at the user level helps muster security with the flexibility to create and apply policies for USB access based on employee roles and departments.

 12.4

Consider implementing centralised policies through Active Directory or Endpoint management systems to whitelist/blacklist/restrict removable media use.

 12.5

As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorised for defined use and duration of use.

USB instances can be set to be blocked by default in the entire network, restriction can be revoked at user or device level, providing flexibilty on USB usage permission.

Advanced Real-time Threat Defence and Management  13.2

Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices – (Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring.

Antivirus update management for Windows Defender, Microsoft Security Essentials, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Client Security and Mcafee Virusscan Enterprise are provided.

 13.3

Consider implementing whitelisting of internet websites/systems.

Using Browser Security Plus addon, IT admins can achieve whitelisting and blacklisting of URLs.

Audit Log settings  17.1

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software, ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction.

Hardware and software added/removed are logged along with the timestamp, date, USB devices name and username for audit purposes. Additionally, these changes can also be alerted to the concerned authority as an e-email message for immediate redressal, in case of contingencies.

Metrics  21.2

Some illustrative metrics include coverage of anti-malware software and their updation percentage, patch latency, extent of user awareness training, vulnerability related metrics, etc.

Endpoint Central provides comprehensive, interactive insights and infographics which can be used to comb through vast amount of device data to identify and address vulnerabilities. Additionally, there are reports that help delve into critical updates, install statuses, failed updates, vulnerability database updates and more.