Financial Crime World

Comprehensive Guidelines for Information and Cyber Security Risk Management in the Banking Sector

General Requirements

Establishing a robust information and cyber security risk management framework is crucial for banks to ensure the confidentiality, integrity, and availability of their data and systems. The following guidelines outline the key requirements:

  • Documented Framework: The bank shall establish an information and cyber security risk management framework that is documented, updated with lessons learned, and reviewed by the board at least annually.
  • Annual Review: The framework should be reviewed by the board at least annually to ensure its continued relevance and effectiveness.

Risk Assessment and Management

Effective risk assessment and management are critical components of a bank’s information and cyber security risk management program. The following guidelines outline the key requirements:

  • Business Function Classification: Identify and classify business functions, supporting processes, and information assets in terms of criticality (confidentiality, integrity, availability).
  • Threat and Vulnerability Monitoring: Continuously monitor threats and vulnerabilities relevant to business processes and information assets.
  • IT Risk Assessments: Conduct IT risk assessments with impact analysis and consequences on overall business and operations.

Outsourcing Risks

Outsourcing can bring benefits but also introduces risks that must be managed. The following guidelines outline the key requirements:

  • Comprehensive Program: Establish a comprehensive outsourcing risk management program for third-party service providers.
  • Due Diligence: Carry out due diligence prior to engaging a service provider (viability, capability, reliability, track record).
  • Contractual Terms and Conditions: Ensure contractual terms and conditions govern roles, relationships, obligations, and responsibilities of all parties.

Cloud Computing

Cloud computing can bring benefits but also introduces risks that must be managed. The following guidelines outline the key requirements:

  • Core Banking Systems: Not outsource hosting of core banking systems and applications to third-party cloud service providers.
  • Cloud Computing Policy: Establish a cloud computing policy that covers cyber security risk.
  • Due Diligence: Conduct due diligence on cloud service providers prior to using them for non-core banking systems and applications.

Acquisition and Development of Information Systems

The acquisition and development of information systems can introduce risks that must be managed. The following guidelines outline the key requirements:

  • IT Project Governance: Establish a process for acquiring and/or developing information systems, including planning, deploying, testing, maintaining, upgrading, and retiring systems.
  • Policies and Procedures: Develop policies and procedures to govern IT project initiation, prioritization, approval, and control.
  • Progress Reports: Submit progress reports on major IT projects to the IT steering committee and board periodically.

Security Requirements and Testing

Ensuring the security of information systems is critical. The following guidelines outline the key requirements:

  • High Integrity Systems: Ensure high integrity for all systems and data.
  • System Testing Methodology: Establish a methodology for system testing.
  • Regression Testing: Conduct full regression testing before implementing system rectification or enhancement.
  • Penetration Testing: Perform penetration testing prior to commissioning new systems with Internet accessibility and open network interfaces.
  • Separate Environments: Maintain separate physical or logical environments for development, user acceptance testing (UAT), and production.