OM-5 OM-5 Security Measures for Banks
OM-5.1 OM-5.1 Security Measures for Retail Banks
General Requirement
OM-5.1.1
Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).
Added: January 2020OM-5.1.2
In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance.
Licensees are asked to make certified copies of such documents available if requested by the CBB.Added: January 2020OM-5.1.2A
Conventional retail bank licensees must take appropriate measures to counter fraudulent phishing attempts (such as through telephone or WhatsApp calls, SMS or WhatsApp messages, emails and other media) that request customers to provide sensitive personal information that can lead to frauds. The licensees must also enhance their surveillance and monitoring systems to detect suspicious account activity caused by such fraudulent attempts on a timely basis.Added: October 2020OM-5.1.2B
Conventional retail bank licensees must raise customer awareness about fraudulent phishing messages by launching extensive customer alert campaigns through media and social media channels. Customers must be warned of such attempts and advised to only use the licensee’s official website, telephone or other channels for communication with it.Added: October 2020External Measures
OM-5.1.3
All head offices/main offices are required to maintain Ministry of Interior ("MOI") guards on a 24 hours basis. For branches that satisfy the criteria mentioned in Paragraphs OM-5.1.4 to OM-5.1.16 below, they may maintain MOI guards during opening hours only. Furthermore, banks will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI.
Added: January 2020OM-5.1.4
Public entrances to head offices/main offices and branches must be protected by steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire. Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances must have the following security measures:
(a) Magic eye;(b) Locking device (key externally and handle internally);(c) Door closing mechanism;(d) Contact sensor with alarm for prolonged opening time; and(e) Multifactor or combination access control system (e.g. access card and key slot or swipe card and password).Added: January 2020OM-5.1.5
External windows must have security measures such as anti-blast films and movement detectors. For ground floor windows, banks must add steel grills fastened into the wall.
Amended: April 2021
Added: January 2020OM-5.1.6
Branch alarm systems must have the following features:
(a) PIR motion detectors(b) Door sensors(c) Anti vibration/movement sensors on vaults(d) External siren(e) The intrusion detection system must be linked to the bank's (i.e. head office) monitoring unit and also the MOI Central Monitoring Unit.Added: January 2020Internal Measures
OM-5.1.7
Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.
Added: January 2020OM-5.1.8
All areas where cash is handled must be screened off from customers and other staff areas.
Added: January 2020OM-5.1.9
Access to teller areas must be restricted to authorised staff only. The design of the teller area must not allow customers to pass through it.
Added: January 2020OM-5.1.10
Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.
Added: January 2020Cash Safety
OM-5.1.11
Cash, precious metals and bearer instruments must be kept in fireproof cabinets/safes. These cabinets/safes must be located in strong rooms.
Added: January 2020OM-5.1.12
Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.
Added: January 2020OM-5.1.13
Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.
Added: January 2020CCTV Network Systems
OM-5.1.14
All head offices/main offices and branches must have a CCTV network and alarm system which are connected to a central monitoring unit located in the head office/main office, along with a Video Monitoring System (VMS) and to the MOI Central Monitoring Unit.
Added: January 2020OM-5.1.15
At a minimum, CCTV cameras must cover the following areas:
(a) Main entrance;(b) Other external doors;(c) Any other access points (e.g. ground floor windows);(d) The banking hall;(e) Tellers' area;(f) Strong room entrance; and(g) ATMs (by way of internal or external cameras) Refer to Section OM-5.3 for specific CCTV requirements related to ATMs.Added: January 2020OM-5.1.16
Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system must be operational 24 hours per day.
Added: January 2020Training and Other Measures
OM-5.1.17
Banks must establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks must produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position must be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.
Added: January 2020OM-5.1.18
The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.
Added: January 2020OM-5.1.19
Banks must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).
Added: January 2020OM-5.2 OM-5.2 Payment and ATM cards, Wallets and Point of Sale infrastructure
Europay, MasterCard and Visa (EMV) Compliance
OM-5.2.1
All cards (debit, credit, charge, prepaid, etc.) issued by
licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all ATMs, CDMs, POS, etc. must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD50 per transaction, provided thatConventional bank licensees bear full responsibility in case of fraud occurrence.Amended: April 2023
Added: January 2020OM-5.2.1A
Where contactless payments use Consumer Device Cardholder Verification Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD50 limit mentioned in Paragraph OM-5.2.1 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where debit/credit card of the customer has already been tokenized in the payment application.
Amended: April 2023
Added: July 2020Provision of Cash Withdrawal and Payment Services through Various Channels
OM-5.2.2
Conventional bank licensees are allowed to provide cash withdrawal and payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to explicit consent from the customers using established methods described in OM-3.2 and enrolling them through a registration process for each channel and service, wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated. Such enrolment process must allow an opt-out option if the customer does not want to use a channel for which he has enrolled.Added: January 2020Geolocation Limitations
OM-5.2.3
All
Conventional bank licensees issuing debit, prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their cards must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS).Added: January 2020Prohibition of Double Swiping
OM-5.2.4
Double swiping of cards by merchants is not allowed, and all card acquirer
licensees must ensure that the merchants concerned must comply with this requirement.Added: January 2020OM-5.2.5
For the purpose of Paragraph OM-5.2.4, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.
Added: January 2020OM-5.2.6
For the purpose of Paragraph OM-5.2.4, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.
Added: January 2020OM-5.2.7
All card acquirer
licensees must include the following clause into the merchant agreements entered into with all their merchants: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."Added: January 2020OM-5.2.8
All card acquirer
licensees must:(i) Educate the concerned merchants on the regulatory requirement and monitor the implementation of this requirement; and(ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.Added: January 2020Integration of Hardware Components
OM-5.2.9
If the Automated Teller Machines (ATM) environment permits access to internal areas where account data is processed and/or stored (e.g., for service or maintenance), these areas must be effectively protected from access by unauthorised persons to mitigate the risk associated with attaching/inserting malicious additional components, especially those which may be designed to capture sensitive data. Banks must encrypt account data or secure access to such data by effective physical barriers such as strong walls, doors, and mechanical locks.
Added: January 2020OM-5.2.10
All entry to sensitive areas must be recorded, including the name of the persons accessing the area; the date; and the time of access to and exit from the area. CCTV cameras must be installed, and used to record all activities within the ATM environment.
Added: January 2020OM-5.2.11
Banks are required to implement best industry practice in respect of hardware and software development and integration, including but not limited to formal specification, test plans, and documentation. Hardware and software should only be introduced to the environment following a successful programme of testing.
Added: January 2020OM-5.2.12
All test plans and the outcomes of these plans must be retained by the bank for a minimum of five years from the date of testing and be available on request to the CBB or their authorised representatives. Examples of instances in which a detailed testing process must be undertaken prior to installation and integration of components include, but are not limited to, secure card readers or EPPs. In all instances the applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must be fully complied with.
Added: January 2020OM-5.2.13
Banks must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs and any anti skimming devices are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be PCI Security Standards Council approved and fully comply with all PCI standards at all times.
Added: January 2020OM-5.2.14
Banks must ensure that all ATMs, including offsite ATMs, are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.
Added: January 2020ATM Software
OM-5.2.15
Banks must ensure that their ATM software security measures comply with the following:
(a) Access to sensitive services is controlled by requiring authentication. Entering or exiting sensitive services must not reveal or otherwise compromise the security of sensitive information;(b) ATM software must include controls which are designed to prevent unauthorised modification of the software configuration, including the operating system, drivers, libraries, and individual applications. Software configuration includes the software platform, configuration data, applications loaded to and executed by the platform, and the associated data. The mechanisms must also ensure the integrity of third-party applications, using a controlled process to install such controls;(c) Access to all elements of the ATM environment must be strictly controlled to ensure an effective segregation of functions and an effective segregation of responsibilities exists for all personnel;(d) The logging data must be stored in a way that data cannot be changed under any circumstances, and deleted only after authorisation by a member of bank staff who has specific responsibility delegated by the CEO;(e) Software is protected and stored in a manner which precludes unauthorised modification; and(f) Loading of software into ATMs is performed by a person who has the requisite knowledge and skills, and who has been nominated and authorised by a senior manager in the bank to undertake these tasks.Added: January 2020OM-5.2.16
ATMs must incorporate dedicated tampering protection capabilities.
Added: January 2020ATM Application Management
OM-5.2.17
Banks must ensure that their ATM application management complies with the following:
(a) The display of a cardholder PIN must be obfuscated on the ATM display and must not be in 'clear' mode;(b) Sensitive information must not be present any longer or used more often than strictly necessary. The ATM must automatically clear its internal buffers when either the transaction is completed, or the ATM has timed out whilst awaiting a response from the cardholder or host; and(c) Prevent the display or disclosure of cardholder account information such as the account number, ID number, address and other personal details etc. on the ATM screen, printed on receipts, or audio transcripts for visually impaired cardholders.Added: January 2020OM-5.3 OM-5.3 ATM Security Measures: Physical Security for Retail Banks
Record Keeping
OM-5.3.1
Banks must record the details of the site risk assessments and retain such records for a period of five years from the date of the ATM installation, or whatever other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.
Added: January 2020Installation of an Off-site ATM in Bahrain
OM-5.3.2
Banks must notify the CBB in writing if they install a new
off-site ATM or remove/terminate any of itsoff-site ATMs .Amended: January 2022
Added: January 2020OM-5.3.3
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020General Criteria
OM-5.3.4
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020OM-5.3.5
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020OM-5.3.6
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020OM-5.3.7
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020OM-5.3.8
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020OM-5.3.9
[This Paragraph has been deleted in January 2022].
Added: January 2020
OM-5.3.10
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020
OM-5.3.11
[This Paragraph has been deleted in January 2022].
Deleted: January 2022
Added: January 2020
OM-5.3.12
The CBB may, at its sole discretion, require an
off-site ATM to be removed/terminated and decommissioned at any time.Added: January 2020
ATM Alarms
OM-5.3.13
In addition to alarming the premises, banks must alarm the ATM itself, in a way which activates audibly when the ATM is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of Interior. In doing so, banks must consider the following:
(a) The design of the system must ensure that the ATM has a panic alarm installed;(b) The design of the system must give an immediate, system controlled warning of an attack on the ATM, and all ATMs must be fitted with fully operational fraud detection and inhibiting devices;(c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and(d) The alarm system must be monitored from an Alarm Receiving Centre 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.Added: January 2020
Closed-circuit Television (CCTV)
OM-5.3.14
Banks must ensure that ATMs are equipped with Closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the ATM are recorded, however keypad entries must not be recorded. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled. There must be sensors to detect and alert the bank if the camera has been blocked or tampered with.
Added: January 2020OM-5.3.15
For the purposes of Paragraph OM-5.3.14, the location of camera installation in drive-thru ATMs must be carefully chosen to ensure that the images of the vehicle number plates are clearly captured during both daytime and nighttime.
Added: January 2020OM-5.3.16
As a minimum, CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by a third party Alarm Receiving Centre.
Added: January 2020OM-5.3.17
When an ATM is located in an area where a public CCTV system operates, the deployer or agent must liaise with the agency responsible for the CCTV system to include the ATM site in any preset automatic camera settings or to request regular sweeps of the site. The CCTV system must not be able to view the ATM keypad thereby preventing observation of PIN entry.
Added: January 2020OM-5.3.18
Banks must ensure that the specifications of CCTV cameras meet the following minimum requirements:
(a) Analogue Cameras:Resolution — Minimum 700 TVL
Lens — Vari-focal lenses from 2.8 to 12mm
Sensitivity — Minimum 0.5 Luminance (Lux) without Infrared (IR), 0 Lux with IR
IR — At least 10 to 20 meters (Camera that detects motion)(b) IP Cameras:Resolution — 2 MP — 1080 p
Lens — Vari-focal lenses from 2.8 to 12mm
Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR
IR — At least 10 to 20 metersAdded: January 2020OM-5.3.19
Banks must ensure that the following network requirements are met for connecting the Banks CCTV system to MOI Control room:
(a) The minimum speed of the upload should be 2 Mbps for each node (ATM's and branches);(b) Speed/storage limit threshold must not be applied in a manner which permits a network delay; and(c) Access must be restricted to authorised personnel.Added: January 2020
ATM Lighting
OM-5.3.20
Banks must ensure that adequate and effective lighting is operational at all times within the ATM environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.
Added: January 2020OM-5.3.21
Banks must ensure that adequate and effective lighting is operational within drive-thru ATMs to enable the CCTV cameras to capture the vehicle number plates during both daytime and nighttime.
Added: January 2020
Fire Alarm
OM-5.3.22
Banks must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all ATMs. These alarms must be linked to the "General Directorate of Civil Defense" in Bahrain.
Added: January 2020
Cash Replenishment
OM-5.3.23
All cash movements between branches, to and from the CBB and to
off-site ATMs must be performed by specialised service providers.Added: January 2020
ATM Service/Maintenance
OM-5.3.24
Banks must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.
Added: January 2020OM-5.3.25
The CBB shall conduct inspections of ATM installations and any non-compliance with the physical security requirements stipulated in this Chapter may lead to suspension of the subject ATMs and trigger other enforcement measures set out in Module EN.
Added: October 2022
OM-5.4 OM-5.4 ATM Security Measures: Additional Measures for Retail Banks
OM-5.4.1
Banks may ensure the adequacy and effectiveness of external security measures throughout the ATM environment through the additional security measures outlined in this Section.
Added: January 2020Sounders and Flashing Warning Lights
OM-5.4.2
Banks should ensure that street-based ATMs are installed with an audible alarm sounder, and a visual flashing warning light, to indicate when the ATM is under attack.
Added: January 2020Armored Anti-Bandit Shroud
OM-5.4.3
Banks should obtain and act upon advice provided by the Ministry of Interior in respect of protecting the ATM installation with an armored anti-bandit shroud which is placed around the ATM to prevent any bombing or other physical attempts to damage the ATM.
Added: January 2020
OM-5.5 OM-5.5 Cyber Security Risk Management
Role of the Board
OM-5.5.1 OM-5.5.1
The Board of
conventional bank licensees must ensure that thelicensee has a robust cyber security risk management policy to comprehensively manage thelicensee ’s cyber security risk and vulnerabilities. The Board must approve the policy and establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes. Cyber security must be an item for discussion at Board or Board sub-committee meetings.Amended: July 2021
Added: January 2020OM-5.5.4
Boards should receive comprehensive reports, in every Board meeting, covering cyber security issues such as the following:
a. Key Risk Indicators/ Key Performance Indicators;b. Status reports on overall cyber security control maturity levels;c. Status of staff Information Security awareness;d. Updates on latest internal or relevant external cyber security incidents; ande. Results from penetration testing exercises.Amended: July 2021
Added: January 2020OM-5.5.2 OM-5.5.2
The Board of
conventional bank licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:a) Cyber security strategy;b) Cyber security policy; andc) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.Amended: July 2021
Added: January 2020OM-5.5.5
The Board must evaluate and approve the cyber security risk management framework for scope coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.
Amended: July 2021
Added: January 2020OM-5.5.3 OM-5.5.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix C – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the
licensee ’s risk management framework.Amended: July 2021
Added: January 2020OM-5.5.6
Conventional bank licensees must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within thelicensee . The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls.Branches of foreign bank licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.Amended: July 2021
Added: January 2020OM-5.5.7
The Board should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.
Added: July 2021OM-5.5.8
The Board must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.
Added: July 2021OM-5.5.9
The Board should establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.
Added: July 2021Role of Senior Management
OM-5.5.10
The
senior management must be responsible for the following activities:(a) Create the overall cyber security risk management framework and adequately oversee its implementation;(b) Formulate a bank-wide cyber security strategy and cyber security policy;(c) Implement and consistently maintain an integrated, bank-wide, cyber security risk management framework, and ensure sufficient resource allocation;(d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;(e) Provide quarterly or more frequent reports to the Board on the current situation with respect to cyber threats and cyber security risk treatment;(f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on thelicensee ; and(g) Ensure that processes for identifying the cyber security risk levels across the organisation are in place and annually evaluated.Added: July 2021OM-5.5.11
The
senior management must ensure that:(a) Thelicensee has identified clear internal ownership and classification for all information assets and data;(b) Thelicensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;(c) The cyber security staff are adequate to manage thelicensee ’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;(d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM) to stay abreast of changing cyber security threats and countermeasures.Added: July 2021OM-5.5.12
With respect to Subparagraph OM-5.5.11(a), data classification entails analyzing the data the
licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:a) Who has access to the data;b) How the data is secured;c) How long the data is retained (this includes backups);d) What method should be used to dispose of the data;e) Whether the data needs to be encrypted; andf) What use of the data is appropriate.The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.
Added: July 2021Cyber Security Strategy
OM-5.5.13
A bank-wide cyber security strategy must be defined and documented to include:
(a) The position and importance of cyber security at thelicensee ;(b) The primary cyber security threats and challenges facing thelicensee ;(c) Thelicensee ’s approach to cyber security risk management;(d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;(e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;(f) Approach to planning response and recovery activities; and(g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.Added: July 2021OM-5.5.14
The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix C provides cyber security control guidelines that can be used as reference to support the
licensee ’s cyber security strategy and cyber security policy.Added: July 2021Cyber Security Policy
OM-5.5.15
Conventional bank licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by thelicensee ’s board of directors or senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:(a) Definition of the key cyber security activities within thelicensee , the roles, responsibilities, delegated powers and accountability for these activities;(b) A statement of thelicensee ’s overall cyber risk tolerance as aligned with thelicensee ’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;(c) Definition of main cyber security processes and measures and the approach to control and assessment;(d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:(a) Asset management (Hardware and software);(b) Incident management (Detection and response);(c) Vulnerability management;(d) Configuration management;(e) Access management;(f) Third party management;(g) Secure application development;(h) Secure change management;(i) Cyber training and awareness;(j) Cyber resilience (business continuity and disaster planning); and(k) Secure network architecture.Added: July 2021Approach, Tools and Methodology
OM-5.5.16
Conventional bank licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of thelicensee . The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.Added: July 2021OM-5.5.17
Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the organisation’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met, and are approved by senior management before broadly shared across thelicensee . They should be reviewed and updated regularly to incorporate improvements and/or changes in the organisation.Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.Added: July 2021Prevention Controls
OM-5.5.18
A
conventional bank licensee must develop and implement preventive measures across all relevant technologies to minimise thelicensee ’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:(a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;(b) Data leakage prevention solutions to detect and prevent confidential data from leaving thelicensee ’s technology environment;(c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;(d) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;(e) Use of Privileged Access Management (PAM) to secure, control, manage and monitor privileged access to critical assets;(f) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);(g) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;(h) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems;(i) Use of mobile device management solutions including implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to bank systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement; and(j) Network access control to secure physical network ports against connection to computers which are unauthorised to connect to thelicensee ’s network or which do not meet the minimum security requirements defined forlicensee computer systems; and(k) Identity and access management solutions to limit the exploitation and monitor the use of privileged and non-privileged accounts.Added: July 2021OM-5.5.19
Conventional bank licensees must set up anti-spam and anti-spoofing measures to authenticate thelicensee ’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:• SPF “Sender Policy Framework”;• DKIM “Domain Keys Identified Mail”; and• DMARC “Domain-based Message Authentication, Reporting and Conformance”.Added: July 2021OM-5.5.20
Conventional bank licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.Added: July 2021OM-5.5.21
Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties.Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers,licensees must comply with the following requirements:(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;(b) Refrain from using shortened links in communication with customers;(c) Implement one or more of the following measures for links sent to customers:i. ensure customers receive clear instructions in communications sent with the links;ii. prior notification to the customer such as through a phone call informing the customer to expect a link from thelicensee ;iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;iv. use of other verification measures like password or biometric authentication; and(d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers thatlicensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.Amended: October 2022
Added: July 2021OM-5.5.21A
For the purpose of Paragraph OM-5.5.21, subject to CBB’s approval,
licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:(a) Head/regional office of alicensee ; and(b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).Added: October 2022Cyber Risk Identification and Assessments
OM-5.5.22
Conventional bank licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to thelicensee , it should take into account the factors detailed below:(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;(d) Dark web surveillance to identify any plot for cyber attacks;(e) Examples of cyber threats from past cyber attacks on the licensee if available; and(f) Examples of cyber threats from recent cyber attacks on other organisations.Added: July 2021OM-5.5.23
Conventional bank licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.Added: July 2021OM-5.5.24
Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above thelicensee ’s risk tolerance levels.Added: July 2021OM-5.5.25
Conventional bank licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably monthly assessments are conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.Added: July 2021OM-5.5.26
With respect to Paragraph OM-5.5.25, external technology refers to the
licensee ’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.Added: July 2021OM-5.5.27
Conventional bank licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.Added: July 2021OM-5.5.28
All
licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;(b) Include both Grey Box and Black Box testing in its scope;(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;(d) Be performed by internal and external independent third parties which should be changed at least every two years; and(e) Be performed on either the production environment or on non-production exact replicas of the production environment.Added: July 2021OM-5.5.29
CBB may require additional red teaming exercises to be performed as needed. A red team is a group of ethical hackers with varying backgrounds, that would test the organization's blue team's threat response activity. The red team may attack 3 fronts: cyber, social (attack on people's behavior) and physical (attack on an organization's physical facility and or 3rd party premises). A red teaming exercise is like a penetration test in many ways but more targeted. The goal is not to find as many vulnerabilities as possible. The goal is to test the organization's detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible.
Added: July 2021OM-5.5.30
Where
licensees have been required to conduct a red teaming exercise the results of such an exercise must be provided to CBB within one month of the completion of the exercise together with a comprehensive plan to address any observed weaknesses.Added: July 2021Cyber Incident Detection and Management
OM-5.5.31
Conventional bank licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a Security Information & Event Management “SIEM” system.Added: July 2021OM-5.5.32
Licensees should consider the adequacy of the SIEM, keeping in view it should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.Added: July 2021OM-5.5.33
Licensees should retain the logs and other information from the SIEM for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 5 years or longer.Added: July 2021OM-5.5.34
Once a cyber incident is detected,
licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.Added: July 2021OM-5.5.35
Conventional bank licensees must establish a Security Operations Centre (SOC) that is tailored to the needs of thelicensee to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Capabilities for log collection and monitoring SIEM must be built into the SOC. The SOC must maintain thelicensee ’s asset inventory and network diagrams.Added: July 2021OM-5.5.36
Conventional bank licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the SIEM system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.Added: July 2021OM-5.5.37
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption.
Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant.Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.Added: July 2021OM-5.5.38
Conventional bank licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with thelicensee ’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph OM-5.5.57 for the requirement to report to CBB.Added: July 2021OM-5.5.39
Conventional bank licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:• Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.• Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the organisation’s management to update the internal and external stakeholders with consistent information.• Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.Added: July 2021OM-5.5.40
For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.
Added: July 2021OM-5.5.41
Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, thelicensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.Added: July 2021OM-5.5.42
Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action);(b) Describe whether the cyber incident due to a third-party service provider;(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink);(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media);(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation);(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident);(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic);(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state);The cyber incident severity may be classified as:
(a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in thelicensee .(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in thelicensee .(c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in thelicensee .Added: July 2021OM-5.5.43
Licensees should determine the effects of the cyber incident on customers and to the wider banking system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.Licensees may also share non-sensitive information on cyber incidents, effective cyber security strategies and risk management practices through malware information sharing platforms (MISP). Technical information, such as Indicators of Compromise (IoCs) or vulnerabilities exploited can be shared through MISP.Added: July 2021OM-5.5.44
Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:1. Metrics to measure impact of a cyber incident:(a) Duration of unavailability of critical functions and services;(b) Number of stolen records or affected accounts;(c) Volume of customers impacted;(d) Amount of lost revenue due to business downtime, including both existing and future business opportunities;(e) Percentage of service level agreements breached.2. Performance metrics for incident management:(a) Volume of incidents detected and responded via automation;(b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed);(c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied.Added: July 2021Recovery
OM-5.5.45
Conventional bank licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time thelicensee will require to return to full service and operations.Added: July 2021OM-5.5.46
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:
a) Financial situation;b) Reputation;c) Regulatory, legal and contractual obligations; andd) Operational aspects and delivery of key products and services.Added: July 2021OM-5.5.47
Conventional bank licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident.Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”.Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.Added: July 2021OM-5.5.48
Conventional bank licensees must ensure that all critical systems are able to recover from a cyber security breach within thelicensee ’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.Added: July 2021OM-5.5.49
Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases,licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.Added: July 2021OM-5.5.50
Conventional bank licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.Added: July 2021OM-5.5.51
Conventional bank licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.Added: July 2021OM-5.5.52
A
conventional bank licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.Added: July 2021Cyber Security Insurance
OM-5.5.53
Conventional bank licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respectivelicensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:(a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;(b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and(c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.Added: July 2021Training and Awareness
OM-5.5.54
Conventional bank licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.Added: July 2021OM-5.5.55
The
licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.Added: July 2021OM-5.5.56
The
conventional bank licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:(a) Executive board and senior management;(b) Cyber security roles;(c) IT staff; and(d) Any high-risk staff as determined by thelicensee .Added: July 2021Reporting to CBB
OM-5.5.57
Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations,
conventional bank licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix OM-1) to CBB’s cyber incident reporting email, incident.retail@cbb.gov.bh (for retail banks) or incident.wholesale@cbb.gov.bh (for wholesale banks), within two hours.Amended: April 2022
Added: July 2021OM-5.5.58
Following the submission referred to in Paragraph OM-5.5.57, the
licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix OM-1) within 10 calendar days of the occurrence of the cyber security incident.Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.Amended: April 2022
Added: July 2021OM-5.5.59
With regards to the submission requirement mentioned in Paragraph OM-5.5.58, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.
Added: July 2021OM-5.5.60
The comprehensive cyber security incident report referred to in Paragraph OM-5.5.58 should include the following details:
(a) Date and time of discovery of the incident;(b) Time elapsed from detection to restoration of critical services;(c) Who discovered the incident (e.g. third-party service provider, customer, employee);(d) Type of cyber incident (e.g. DDoS, malware, intrusion/unauthorised access, hardware/firmware failure, system software bugs;)(e) Impact of the incident (e.g. impact to availability of services, loss of confidential information) including financial, legal and reputational impact and to which group of stakeholders (e.g. retail and corporate customers, settlement institutions, service providers);(f) Affected systems and technical details of the incident (e.g. source IP address and post, IOCs, tactics, techniques, procedures (TTPs));(g) Root cause analysis; and(h) Actions taken:• Escalation steps taken;• Stakeholders informed;• Response and recovery activities;• Lessons learnt.Added: July 2021OM-5.5.61
The penetration testing report as per Paragraph OM-5.5.28, along with the steps taken to mitigate the risks must be maintained by the
licensee for a five year period from the date of the report and must be provided to CBB within two months following the end of the month where the testing took place, i.e. for a June test, the report must be submitted at the latest by 31st August and for a December test, by 28th February.Amended: April 2022
Added: July 2021