Financial Crime World

Here is the article in markdown format with proper headings, subheadings, and bullet points:

Information Security Controls for Licensed Banks

====================================================

The Bangladesh Insurance Regulations (BIRMC) specify requirements for information security controls (ISC) at licensed banks in your country or region. This article highlights key points related to computer security, user activity log management, data encryption, and other relevant areas.

Computer Security and User Activity Log Management

Policy Requirement

  • Banks must implement a policy for managing computer security and user activity logs of critical information systems and those exposed to customer data.

Content of the Policy

  • Types of logs to be maintained
  • Retention period
  • Review frequency
  • Tools used
  • Event identification
  • Response procedures
  • Responsibilities for log maintenance

Data Encryption

Customer Data Encryption

  • Customer data must normally be protected using encryption recommended by industry standards.
  • However, banks may use alternative controls if encryption is not feasible or appropriate.

Types of Encryption

  • Banks should use industry-standard encryption methods, subject to approval from their Board of Directors on the recommendation of BIRMC and ISC.

Information Classification and Labeling

Classification Based on Sensitivity

  • All electronically maintained data must be classified based on information security sensitivity and labeled with assigned classification as per an approved information classification policy.

Security Operations Center (SOC)

Implementation Mandate

  • A SOC is mandatory for all licensed commercial banks, specialized banks that are D-SIBs, and other specialized banks offering electronic delivery channels.

Responsibilities

  • The SOC must be responsible for:
    • Prevention of information security threats
    • Monitoring and detection of information security threats
    • Incident response
    • Forensics
    • Reporting
    • Knowledge sharing

Deviations from Requirements

Banks may deviate from encryption requirements with adequate compensating controls and monitoring measures to minimize risks. These deviations need approval by the Board of Directors and review at least once every two years.

Conclusion

The document outlines comprehensive security standards for licensed banks in your region, emphasizing the importance of robust information security practices. It highlights areas such as computer security log management, data encryption, classification of sensitive information, and the establishment of a Security Operations Center (SOC). These measures are aimed at protecting customer data and ensuring the integrity of banking systems.