The Information Security Policy is a primary document that should be developed for any organisation, especially those with financial responsibilities. The policy should include a description of the main roles and responsibilities of information security management. Set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions’ information security. The policy should ensure the confidentiality, integrity and availability of a financial institution’s critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution.

Information Security Policy
IS Policy, security, governance

Based on the information security policy, institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include;

a) organisation and governance

b) logical security

c) physical security

d) ICT operations security

e) security monitoring

f) information security reviews, assessment and testing

g) information security training and awareness  

Logical security

Institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies.

Physical security

Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual’s tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required.

Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings.

ICT Operations Security

Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery.

Security Monitoring

Institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions’ information security

Information Security Reviews, Assessment and Testing

Institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services.

Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT and security risk assessment process.

Information Security Training and Awareness

Institutions should establish a training programme, including periodic security awareness programmes for all staff and contractors. This is to ensure that staff are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security-related risks. They should ensure that the training programme provides training for all staff members and contractors at least annually.

European Banking Authority, Guidelines on ICT and security risk management