🧠 1. What is IT Risk Management?

Definition:
👉 IT Risk Management means identifying, assessing, and controlling risks related to the use of information technology (computers, software, networks, etc.) in an organization.

In simple words:

It’s a process to protect the bank’s data, systems, and digital operations from harm like hacking, system failure, or data loss.

💡 2. Why is IT Risk Management Important in Banking?

Banks depend heavily on technology for:

Internet & Mobile Banking
ATMs and Digital Payments
Core Banking Systems
Customer Data Storage

Hence, any IT failure or cyberattack can cause:

Financial loss
Data theft
Service interruption
Damage to reputation

So, RBI and other regulators make it mandatory for banks to have strong IT risk management practices.

⚙️ 3. Key Terms to Remember

Term	Meaning
Risk	The chance of loss or harm due to an event (e.g., data breach).
Threat	Something that can cause damage (e.g., hackers, viruses).
Vulnerability	A weakness in the system that threats can exploit.
Control / Safeguard	Steps taken to reduce or prevent risk (e.g., firewall).
Residual Risk	Risk that remains even after controls are applied.

Example:
If a bank’s server has weak passwords (vulnerability), a hacker (threat) may break in — leading to risk of data theft. Installing strong password rules (control) reduces the residual risk.

🔄 4. Steps in IT Risk Management Process

Step	Description	Example
1. Identify Risks	Find out what could go wrong.	Data theft, phishing, power failure
2. Assess/Analyze Risks	Measure how serious each risk is.	High, Medium, Low based on impact & likelihood
3. Control/Mitigate Risks	Take steps to reduce risks.	Firewalls, antivirus, backups
4. Monitor & Review	Keep checking if controls are working.	Regular security audits, VAPT tests
5. Respond & Recover	Take action if a risk event happens.	Disaster Recovery Plan (DRP), Business Continuity Plan (BCP)

🧩 5. Types of IT Risks in Banking

Type	Description	Example
Cyber Risk	Risk from hackers, malware, phishing.	Ransomware attack on servers
Operational Risk	Risk from system failures or human error.	Server crash during transactions
Data Risk	Risk of data theft or leakage.	Customer data exposed online
Compliance Risk	Risk of not following RBI/IT laws.	Not following RBI cyber security guidelines
Third-Party Risk	Risk from vendors handling bank data.	Cloud provider suffers a breach
Reputational Risk	Risk of loss of trust due to IT failure.	Social media outrage after data leak

🔐 6. Controls & Safeguards (Risk Mitigation)

Banks use technical, administrative, and physical controls to reduce IT risks.

Type	Example
Technical Controls	Firewalls, antivirus, encryption, intrusion detection
Administrative Controls	Policies, training, access control, incident reporting
Physical Controls	CCTV, biometric access, restricted server rooms

📋 7. RBI Guidelines on IT Risk

RBI issues various guidelines and frameworks to manage IT risk in banks:

Guideline	Description
Cyber Security Framework (2016)	Mandatory cyber risk management for banks.
IT Governance & Risk Management Circular (2011)	Defines board-level responsibility for IT risks.
Guidelines on Information Security, Electronic Banking & Outsourcing (2011)	Covers e-banking and vendor risk.
Digital Banking Guidelines (2022)	Strengthened cyber and IT governance controls.

Key Points from RBI Guidelines:

Every bank must have a Chief Information Security Officer (CISO).
Banks must conduct VAPT (Vulnerability Assessment & Penetration Testing) regularly.
Maintain Business Continuity Plan (BCP) and Disaster Recovery (DR) site.
Conduct periodic risk assessments and report to senior management.

🧭 8. Risk Assessment Matrix (Simple Concept)

Impact	Low	Medium	High
Likelihood – Low	Low	Low	Medium
Likelihood – Medium	Low	Medium	High
Likelihood – High	Medium	High	High

👉 This helps decide which risks to fix first.
Example: A high-likelihood, high-impact risk = critical risk, must be fixed immediately.

🚨 9. IT Risk Management Example

Example: Internet Banking System

Step	Example
Identify	Risk of hacking or phishing attack
Assess	High impact, high likelihood
Mitigate	2FA login, encryption, monitoring
Monitor	Regular audits & cyber drills
Recover	Activate BCP/DR site if system fails

🛠️ 10. Key IT Risk Management Tools

Ensures continuity after a disaster	Purpose
Risk Register	List of all identified risks and their status
VAPT Reports	Finds and fixes vulnerabilities
Incident Response Plan	Steps to handle cyber incidents
BCP/DR Plan	Ensures continuity after disaster
Audit Logs	Tracks user activity for security review

🧾 11. Summary Table

Concept	Key Point
Goal	Protect data, systems, and reputation
Main Steps	Identify → Assess → Mitigate → Monitor → Recover
Main Types of Risks	Cyber, Operational, Data, Compliance, Vendor
Controls	Technical, Administrative, Physical
RBI Requirement	CISO, BCP/DR, VAPT, regular risk review

🏁 12. In Short

IT Risk = Chance of loss from IT system failure or misuse.
RBI mandates banks to follow Cyber Security Framework (2016).
BCP = Business Continuity Plan → Ensures critical services continue during failure.
DR = Disaster Recovery → Backup systems after disaster.
CISO = Chief Information Security Officer → Head of IT security.
VAPT = Finds security holes before hackers do.
Risk = Threat × Vulnerability × Impact.

SECTION A — Basic Definitions (10)

What is IT Risk?
A. A guaranteed loss due to system downtime
B. Possibility of harm from use of information technology
C. Only cyberattacks on a network
D. Legal penalty for IT compliance failure
Answer: B
A vulnerability in IT means:
A. A threat actor ready to attack
B. A weakness that can be exploited by a threat
C. A control to stop attacks
D. A type of encryption
Answer: B
Threat in IT Risk Management refers to:
A. Measures reducing risk
B. An event or actor that may cause harm
C. The cost of security tools
D. A backup site
Answer: B
Control (or safeguard) means:
A. A risk that remains after mitigation
B. A mechanism to reduce or manage risk
C. A regulatory body
D. A list of vulnerabilities
Answer: B
Residual risk is:
A. Risk before any control is applied
B. Risk that remains after controls are implemented
C. Risk that has been completely removed
D. Financial risk only
Answer: B
Which formula best represents risk?
A. Risk = Asset × Control
B. Risk = Threat × Vulnerability × Impact
C. Risk = Control ÷ Vulnerability
D. Risk = Likelihood + Control
Answer: B
Which one is an example of operational risk in IT?
A. Legal fine for non-compliance
B. Server failure due to power outage
C. Hacker stealing customer data
D. Loss of brand reputation
Answer: B
Cyber risk specifically covers:
A. Physical theft of hardware only
B. Risks from digital threats like malware and hacking
C. Human resource policies
D. Cash handling errors
Answer: B
IT Governance principally ensures:
A. Only hardware maintenance schedules
B. Alignment of IT with business goals and risk management
C. Hiring of IT staff
D. Backup power supply only
Answer: B
Incident in IT terms means:
A. A planned system upgrade
B. Any event that disrupts normal operations or security
C. A successful audit
D. Routine password change
Answer: B

SECTION B — IT Risk Process & Assessment (8)

First step in IT risk management is:
A. Implement controls
B. Identify risks and assets
C. Recover systems
D. Monitor logs
Answer: B
Risk assessment typically measures:
A. Only the financial loss
B. Likelihood and impact of risks
C. Number of servers only
D. Employee satisfaction
Answer: B
A Risk Register contains:
A. Inventory of bank branches
B. List of identified risks, owners, likelihood, and mitigation actions
C. Only vulnerabilities discovered in VAPT
D. Passwords for systems
Answer: B
In a risk matrix, a risk with high likelihood and high impact is:
A. Low priority
B. Medium priority
C. High priority — needs immediate action
D. Ignorable
Answer: C
Qualitative risk assessment uses:
A. Exact monetary values only
B. Judgment-based categories like High/Medium/Low
C. Machine learning only
D. None of the above
Answer: B
Quantitative risk assessment estimates:
A. Attack vectors only
B. Numeric values for impact (e.g., monetary loss) and probability
C. Employee headcount
D. Browser types used by customers
Answer: B
Which is NOT part of risk treatment options?
A. Avoidance
B. Exploitation
C. Mitigation
D. Transfer (e.g., insurance)
Answer: B
Risk appetite refers to:
A. Maximum acceptable risk an organization is willing to take
B. A type of control measure
C. Technical vulnerability
D. Backup frequency
Answer: A

SECTION C — Types of IT Risks (8)

Third-party risk arises from:
A. Internal staff only
B. Vendors, cloud providers, or partners
C. Physical bank branches only
D. ATM cash shortages
Answer: B
Data Privacy risk primarily concerns:
A. Power supply issues
B. Unauthorized access or improper handling of personal data
C. Printer malfunctions
D. Loan approval delays
Answer: B
Reputational risk in IT stems from:
A. Software licenses expiry
B. Security incidents that reduce customer trust
C. Only regulatory audits
D. Currency fluctuations
Answer: B
Business continuity risk means:
A. Risk that core services cannot run during disruption
B. Increased sales during festivals
C. Incorrect accounting entries
D. Slow internet connection for staff only
Answer: A
Insider threat refers to:
A. Attackers from other countries
B. Malicious or negligent actions by employees or contractors
C. Firewall misconfiguration
D. Vendor hardware failure
Answer: B
Which is a technology risk ?
A. Change in board members
B. Obsolescence of systems and lack of patches
C. Branch manager transfer
D. Customer loan default
Answer: B
Compliance risk in IT includes:
A. Not following RBI or other regulatory rules on IT and cyber security
B. Only paying taxes late
C. Selling non-core products
D. None of the above
Answer: A
Fraud risk in IT context often involves:
A. Incorrectly coded mobile apps allowing false transactions
B. Loss of office stationery
C. Staff strikes
D. System uptime improvement
Answer: A

SECTION D — Controls & Safeguards (8)

Which of the following is a technical control?
A. Staff training
B. Firewall and anti-virus
C. CCTV cameras (physical)
D. Policies and procedures
Answer: B
Encryption is used to:
A. Speed up transactions
B. Make data unreadable without keys
C. Replace firewalls
D. Increase storage space
Answer: B
Least Privilege principle means:
A. Give every user full admin rights
B. Users get only the access needed to perform their job
C. Only managers should have accounts
D. No one should have access to systems
Answer: B
Multi-factor Authentication (MFA) improves security by:
A. Requiring multiple proofs of identity (e.g., password + OTP)
B. Using only a long password
C. Eliminating the need for usernames
D. Backing up data twice a day
Answer: A
An IDS (Intrusion Detection System) is for:
A. Detecting and alerting on suspicious network activity
B. Managing backups
C. Encrypting emails
D. Employee performance review
Answer: A
Patch management is important because:
A. It decorates servers
B. It fixes software vulnerabilities and reduces risk
C. It slows systems down
D. It is only for desktops, not servers
Answer: B
Segregation of duties (SoD) helps prevent:
A. Only hardware failures
B. Fraud by dividing critical tasks among different people
C. Faster software deployment
D. Cloud migration
Answer: B
Physical controls in IT security include:
A. Strong passwords only
B. Biometric access, locks, and CCTV for server rooms
C. Encryption of data at rest
D. Two-factor authentication
Answer: B

SECTION E — RBI / Regulatory / Governance (10)

Which officer is normally responsible for IT security in a bank?
A. Chief Financial Officer (CFO)
B. Chief Information Security Officer (CISO)
C. Branch Manager
D. Loan Officer
Answer: B
RBI requires banks to have:
A. No specific IT rules
B. BCP/DR, regular VAPT, and defined IT governance
C. Only branch-level IT staff
D. Free public Wi-Fi in branches
Answer: B
VAPT stands for:
A. Value Added Payment Tool
B. Vulnerability Assessment & Penetration Testing
C. Vendor Audit and Performance Testing
D. Virtual Application Performance Tracker
Answer: B
Which of the following is a purpose of IT audit?
A. Only to improve UI of mobile apps
B. To check effectiveness of IT controls and compliance
C. To write software code
D. To market bank products
Answer: B
IT Policy must be approved by:
A. Team leads only
B. Board of Directors or senior management as per governance norms
C. Customers
D. Vendor representatives
Answer: B
Which is TRUE about outsourcing IT services?
A. Outsourcing removes bank’s responsibility for data security
B. Bank remains accountable and must manage third-party risk
C. It is always prohibited by regulators
D. It requires no contracts
Answer: B
Which report is commonly expected by regulators after an incident?
A. Daily sales report
B. Incident report with root cause analysis and remediation steps
C. Employee attendance sheet
D. None of the above
Answer: B
Board-level responsibility in IT governance means:
A. Board only focuses on marketing
B. Board must oversee IT strategy, risk, and investments
C. Board handles only legal matters
D. Board hires branch staff
Answer: B
Which is a recommended practice under regulatory frameworks?
A. Never test DR plans
B. Regularly test BCP/DR and run crisis simulations
C. Publish all passwords to staff
D. Disable logging to save storage
Answer: B
Logs and audit trails are required because they:
A. Increase customer complaints
B. Help investigate incidents and ensure accountability
C. Replace backups
D. Make systems slower without benefit
Answer: B

SECTION F — Business Continuity / Disaster Recovery (6)

Business Continuity Plan (BCP) ensures:
A. Systems are always offline
B. Critical business functions continue during disruption
C. Immediate data deletion after incidents
D. Branch openings schedule
Answer: B
Disaster Recovery (DR) primarily focuses on:
A. Long-term marketing plan
B. Recovery of IT systems (servers, applications) after an incident
C. Recruiting new staff
D. Only physical office reconstruction
Answer: B
RTO (Recovery Time Objective) means:
A. How often backups are taken
B. Maximum acceptable time to restore a service after disruption
C. Cost of DR site only
D. Number of users in a system
Answer: B
RPO (Recovery Point Objective) indicates:
A. The acceptable amount of data loss measured in time
B. Number of servers needed at DR site
C. The bandwidth requirement
D. The number of incidents per year
Answer: A
Warm DR site means:
A. No hardware or data present
B. Partially equipped site with some data replication; requires setup time
C. Fully live site with instant failover
D. A hot water heater for server rooms
Answer: B
Hot DR site is best described as:
A. Fully operational duplicate site for near-instant recovery
B. A cold storage for tapes
C. An offline office only
D. A training room
Answer: A

SECTION G — VAPT, Security Testing & Incident Response (6)

VAPT should be performed:
A. Once in the lifetime of an application
B. Periodically (regularly) and before major releases
C. Only after a breach happens
D. Never—it’s optional for banks
Answer: B
Penetration testing is mainly to:
A. Add new features to applications
B. Simulate attacks to find vulnerabilities practically
C. Delete obsolete code
D. Train staff on customer service
Answer: B
An Incident Response Plan includes:
A. Steps to be taken during and after a security event
B. Only a list of phone numbers
C. Marketing campaign for new services
D. Loan sanction rules
Answer: A
Forensics in cybersecurity is used to:
A. Promote new mobile apps
B. Collect and analyse evidence after an incident for investigation
C. Replace security audits
D. Backup data only
Answer: B
Which is FIRST action after detecting a major breach?
A. Publicly post all customer data
B. Contain the breach to prevent further damage
C. Immediately hire new developers
D. Remove all logs
Answer: B
A playbook in incident response is:
A. A sports strategy guide
B. Predefined step-by-step actions for specific incident types
C. Random suggestions by staff
D. A system configuration file
Answer: B

SECTION H — Cybersecurity Concepts (10)

Phishing is:
A. Physical theft of bank cheques
B. Fraudulent attempt to obtain sensitive information via fake emails or messages
C. A type of backup
D. Server hardening technique
Answer: B
Ransomware attack typically:
A. Encrypts files and demands payment for decryption
B. Disables antivirus only
C. Improves system performance
D. Is harmless advertising
Answer: A
Zero-day vulnerability means:
A. A vulnerability known and already patched
B. A previously unknown vulnerability with no available fix at discovery time
C. A vulnerability scheduled for next year
D. A vulnerability in physical locks
Answer: B
Social engineering targets:
A. Only system vulnerabilities
B. Human psychology to trick people into revealing sensitive info
C. Only outdated hardware
D. Network speed issues
Answer: B
SQL Injection is an attack on:
A. Network cables
B. Web applications by sending malicious SQL to manipulate database
C. Backup processes
D. Printer configurations
Answer: B
Firewall primarily works at:
A. Application, network, or host level to filter traffic based on rules
B. Only physical access control
C. Improving user experience on mobile apps
D. None of the above
Answer: A
Two key goals of Information Security are:
A. Speed and cost
B. Confidentiality and Availability (also Integrity) — CIA triad
C. Marketing and Sales
D. Payroll and HR
Answer: B
Integrity in CIA triad means:
A. Data is accurate and not tampered with
B. Data is only visible to hackers
C. Data is always available without backup
D. Data backup schedule
Answer: A
Public Key Infrastructure (PKI) provides:
A. Password policy only
B. Digital certificates and keys for encryption and identity verification
C. Physical locks for server rooms
D. None of the above
Answer: B
DDoS attack aims to:
A. Increase system memory
B. Overwhelm services to make them unavailable to legitimate users
C. Update software smoothly
D. Back up data faster
Answer: B

SECTION I — Scenario-Based / Application (8)

A bank discovers unusual outbound traffic from its payment server at 2 AM. First action should be:
A. Reboot the server only
B. Isolate the server (contain), preserve logs, and start incident response
C. Delete logs to hide breach
D. Post a press release immediately
Answer: B
During DR test, data restoration failed due to outdated backups. This indicates a problem with:
A. Risk assessment only
B. Backup strategy and RPO validation
C. Firewall rules
D. Employee onboarding
Answer: B
A vendor managing payroll gets breached. Bank should:
A. Ignore because vendor is external
B. Activate third-party risk procedures, notify regulators if required, and remediate with vendor
C. Fire all employees
D. Close branches temporarily
Answer: B
If an employee accidentally shares credentials, the immediate steps include:
A. Ignore the event
B. Reset credentials, check logs, and determine scope of exposure
C. Fire the employee immediately without investigation
D. Publish credentials to everyone to ensure transparency
Answer: B
A newly deployed app has high-severity vulnerability found in VAPT. Priority is to:
A. Delay fixes until next quarter
B. Patch or mitigate immediately and restrict access if needed
C. Remove VAPT report from records
D. Turn off monitoring systems
Answer: B
If customer PII is leaked, the bank must:
A. Wait to see if anyone complains
B. Notify affected customers, regulators (as required), and start remediation
C. Charge customers for identity protection automatically
D. Delete all customer accounts
Answer: B
During a system upgrade, test environment data is copied to production by mistake. This is an example of:
A. Physical theft
B. Human error leading to operational risk
C. Effective change management
D. Successful patching
Answer: B
A weak password policy causing multiple brute-force attempts indicates weak control in:
A. Network bandwidth
B. Identity and access management (IAM)
C. HR policies only
D. Asset disposal process
Answer: B

SECTION J — Miscellaneous / Exam-Favourite Points (6)

Which one is NOT a primary objective of IT risk management?
A. Protect confidentiality, integrity, and availability of data
B. Achieve zero risk at any cost
C. Ensure regulatory compliance
D. Minimize business disruption
Answer: B
Migration to cloud platforms increases emphasis on:
A. Only local backups
B. Third-party risk management and shared responsibility model
C. Reducing internet bandwidth
D. Removing encryption
Answer: B
A strong password policy should include:
A. Use of default passwords only
B. Complexity, expiry, and account lockout after failed attempts
C. Same password for all employees
D. No multifactor authentication
Answer: B
Audit logs should be:
A. Deleted daily
B. Protected, timestamped, and retained as per policy for investigations
C. Publicly available
D. Only in paper form
Answer: B
Red team testing is:
A. Internal compliance checklist only
B. A realistic simulation of adversary attack to test detection and response
C. A team for color-coding servers
D. Marketing exercise
Answer: B
Which is an important KPI for IT risk management?
A. Number of unread emails
B. Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to incidents
C. Number of coffee machines in office
D. Color of office walls
Answer: B