The Information Security Policy is a primary document that should be developed for any organisation, especially those with financial responsibilities. The policy should include a description of the main roles and responsibilities of information security management. Set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have responsibilities in ensuring financial institutions’ information security. The policy should ensure the confidentiality, integrity and availability of a financial institution’s critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use. The information security policy should be communicated to all staff and contractors of the financial institution.
Based on the information security policy, institutions should establish and implement security measures to mitigate the ICT and security risks that they are exposed to. These measures should include;
a) organisation and governance
b) logical security
c) physical security
d) ICT operations security
e) security monitoring
f) information security reviews, assessment and testing
g) information security training and awareness
Logical security
Institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies.
- Need to know, least privilege and segregation of duties
- User accountability
- Privileged access rights
- Logging of user activities (privileged users)
- Access management
- Access re-certification
- Authentication methods
Physical security
Physical access to ICT systems should be permitted to only authorised individuals. Authorisation should be assigned in accordance with the individual’s tasks and responsibilities and limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed to ensure that unnecessary access rights are promptly revoked when not required.
Adequate measures to protect from environmental hazards should be commensurate with the importance of the buildings and the criticality of the operations or ICT systems located in these buildings.
ICT Operations Security
Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery.
- Identification of potential vulnerabilities, which should be evaluated and remediated by ensuring that software and firmware are up to date,
- implementation of secure configuration baselines of all network components;
- implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification);
- implementation of protection of endpoints including servers, workstations and mobile devices; financial institutions should evaluate whether endpoints meet the security standards defined by them before they are granted access to the corporate network;
- ensuring that mechanisms are in place to verify the integrity of software, firmware and data;
- encryption of data at rest and in transit (in accordance with the data classification).
Security Monitoring
Institutions should establish and implement policies and procedures to detect anomalous activities that may impact financial institutions’ information security
- relevant internal and external factors, including business and ICT administrative functions;
- transactions to detect misuse of access by third parties or other entities and internal misuse of access;
- potential internal and external threats.
Information Security Reviews, Assessment and Testing
Institutions should perform a variety of information security reviews, assessments and testing to ensure the effective identification of vulnerabilities in their ICT systems and ICT services.
Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT and security risk assessment process.
Information Security Training and Awareness
Institutions should establish a training programme, including periodic security awareness programmes for all staff and contractors. This is to ensure that staff are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security-related risks. They should ensure that the training programme provides training for all staff members and contractors at least annually.
European Banking Authority, Guidelines on ICT and security risk management