17 December 2024

Conduct of Vulnerability Assessment/Penetration Testing (VA/PT) by CERT-In Empanelled Auditors

Please refer to para 5.1 of Annexure II to our circular letter No. NB.DoS.Pol.HO/ 3184/J.1/2019-20 (EC No. 33/DoS-08/2020) dated 06 February 2020 on graded approach for a time-bound implementation of the Comprehensive Cyber Security Framework for Regional Rural Banks (RRBs) wherein the banks were advised to periodically conduct Vulnerability Assessment/Penetration Testing (VA/PT) of internet facing web/mobile applications, servers, and network components throughout their lifecycle (pre-implementation, post implementation, after changes, etc.), with a frequency of at least once in 6 months in case of VA of critical applications and those on De-Militarized Zone (DMZ) and at least once in a year in case of PT.

2. Since simulation of advance threats and accurate identification of vulnerabilities are some of the key aspects to be examined during VAPT, the Board of Supervision for StCBs, DCCBs and RRBs in NABARD had, at its 94th meeting held on 19th June 2024, directed that the Supervised Entities (SEs) should be advised to conduct VA/PT through CERT-In empaneled organizations only.

3. In view of the foregoing, we advise you to ensure conduct of VA/PT in your bank through CERT-In empaneled organizations only. The list of such organizations is available on the web-site of CERT-In (https://www.cert-in.org.in/) and is regularly being updated.

4. As already advised at para 5.4 thereof, the vulnerabilities detected are to be remedied promptly in terms of the RRB’s risk management/treatment framework so as to avoid exploitation of such vulnerabilities. We advise that after remediation, validation testing should be conducted to ensure that the vulnerabilities have been effectively addressed and no new vulnerabilities have been introduced.

Yours faithfully

(Sudhir Kumar Roy)

Chief General Manager