The governance foundation RBI expects.
Board-approved IT Policy. ITSC and IT Steering Committee charters. IT Risk register. Vendor risk management toolset. Board reporting templates. Golonex delivers the complete governance documentation set that RBI examiners and IS auditors look for — drafted, bank-branded, and ready to adopt.
Six governance foundations. Delivered as a set.
Each deliverable below is a document or framework that RBI examiners, IS auditors, and your Board will ask to see. Golonex drafts every one — you review, brand, and adopt.
Board-Approved IT Policy
A comprehensive IT Policy document covering information security, acceptable use, access control, incident management, and vendor oversight — drafted to RBI and CERT-In expectations, ready for Board adoption.
IT Strategy Committee (ITSC) Charter
Board-level committee structure for IT governance — charter, terms of reference, meeting cadence (quarterly), agenda template, and minute template. Designed for UCBs with no existing governance framework.
IT Steering Committee Charter
Management-level IT oversight committee — charter, escalation matrix, monthly meeting structure, and decision authority matrix. Bridges the Board ITSC and operational IT delivery.
IT Risk Register
A pre-populated IT risk register seeded with the most common risks for UCBs and mid-market businesses — including CBS availability, ransomware, CBS vendor dependency, payment system outages, and data breach. Formatted for Board review and IS Audit inspection.
IT Budget Framework
Annual IT budget structure and Board approval template — covering capital expenditure, operational expenditure, security, DR, and compliance spend categories. Supports the Board sign-off requirement.
Quarterly Board Reporting Pack
Presentation templates for quarterly IT reporting to the Board ITSC — covering IT risk status, security incident summary, patch compliance, DR drill results, vendor review, and upcoming IT spend.
10 policies. One Board-approved master framework.
The IT Policy is the master document — but it is supported by 10 operational policies that define how specific controls are implemented. Golonex drafts all of them as a coherent set, not disconnected templates.
RBI BCSF and IS Audit inspections look for evidence that policies exist AND that staff know what they say. We draft each policy in plain language, structured for the team that has to follow it — not just the auditor that reads it once.
All policies are provided in editable format, bank-branded, with an owner field, effective date, and review date built in.
- 01 Information Security Policy (master document)
- 02 Acceptable Use Policy — staff, contractors, third parties
- 03 Access Control Policy — least privilege, MFA, privileged access
- 04 Incident Response Policy — classification, escalation, notification
- 05 Change Management Policy — infra and config changes, testing, rollback
- 06 IT Vendor and Outsourcing Policy — onboarding, SLAs, right-to-audit
- 07 Business Continuity and DR Policy — RTO/RPO targets, DR drill obligations
- 08 Data Classification and Handling Policy — personal data, CBS data, payment data
- 09 Removable Media and Device Policy — USB controls, BYOD
- 10 Patch Management Policy — SLAs by criticality, exceptions process
IT outsourcing policy and vendor risk toolkit.
RBI requires banks to have a Board-approved IT outsourcing policy and to assess critical vendors annually. Golonex builds the policy and the toolset — so the requirement is met from day one.
Vendor Risk Assessment Questionnaire
A scored questionnaire covering information security controls, data handling, financial stability, business continuity, and sub-processor usage — completed by the vendor before onboarding.
Contract Clause Library
Ready-to-use contract schedules for CBS vendors, cloud providers, and payment processors — covering data localisation (India-only), right-to-audit, security SLAs, and incident notification obligations.
Annual Vendor Review Process
Documented process for the annual review of critical IT vendors. Assessment template, risk scoring update, and contract review checklist — formatted for Board ITSC presentation.
Applicable vendors covered
Core Banking System vendors · Cloud hosting providers · Payment processors and aggregators · Credit bureaus · Internet and mobile banking platform vendors · Cybersecurity service providers including Golonex itself
Foundation, full build, or ongoing maintenance.
Foundation Package
IT Policy, ITSC and ISC charters, risk register, and Board reporting templates. Fixed price, delivered in 4 weeks. Suitable for institutions starting from zero.
Full Governance Build
Foundation Package plus all 10 policy documents, IT budget framework, and vendor risk toolset. Delivered over 8 weeks with a review session for each document.
Annual Maintenance Retainer
Annual review and update of all governance documents, Board presentation support, and policy amendments as regulations change. Keeps your governance documentation current and audit-ready.
Frequently asked questions
What's an ITSC charter and why does a bank need one? +
The IT Strategy Committee (ITSC) charter is the document that formally establishes the Board-level committee responsible for overseeing IT risk and governance. RBI requires banks to constitute an ITSC with defined membership, quorum, meeting cadence, and reporting obligations. Without a charter, the committee has no formal mandate — and IS auditors check for it in the first pass of the governance review.
How long does it take to produce a complete IT policy pack? +
Typically 4–6 weeks for a full set of 10 core IT policies: Information Security, Acceptable Use, Change Management, Incident Response, Vendor Management, BCP, Data Classification, Remote Access, Patch Management, and Asset Management. We work from bank-specific templates aligned to RBI IT Framework and customise each policy to your infrastructure, vendor landscape, and processes.
Is this a one-time project or an ongoing advisory? +
Both options are available. Most clients start with a one-time project — policy pack, risk register, or ITSC setup — and retain Golonex for annual review and update cycles. As regulations change and your infrastructure evolves, the documents need to stay current. We offer annual retainers for policy maintenance, risk register refresh, and Board reporting support.
Does this cover vendor risk and third-party due diligence? +
Yes. The IT risk register includes a vendor risk module covering technology service providers, CBS vendors, cloud hosts, and payment processors. We produce due diligence questionnaires, review vendor responses, and maintain the third-party risk register as a living document — not a one-time assessment that goes stale the following quarter.
How does this align with the RBI IT Framework for UCBs? +
The RBI IT Framework for Urban Co-operative Banks (UCBs) sets explicit requirements: a constituted ITSC, an approved IT policy, an IT risk register reviewed at least annually, and a Board-approved IT strategy. Every deliverable in this engagement is structured to satisfy those requirements and produce the evidence that IS auditors expect to see — so the audit becomes a review of documentation that already exists, not a scramble to produce it.
Tell us where your governance stands
Share your current policy documentation status and upcoming audit or examination dates. We will assess the gaps and propose a governance build timeline that gets you inspection-ready.