Back Custom print Link Text Only Rich Text Print

  • Role of Senior Management

    • OM-5.5.10 OM-5.5.10

      The senior management must be responsible for the following activities:

      (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
      (b) Formulate a bank-wide cyber security strategy and cyber security policy;
      (c) Implement and consistently maintain an integrated, bank-wide, cyber security risk management framework, and ensure sufficient resource allocation;
      (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
      (e) Provide quarterly or more frequent reports to the Board on the current situation with respect to cyber threats and cyber security risk treatment;
      (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
      (g) Ensure that processes for identifying the cyber security risk levels across the organisation are in place and annually evaluated.
      Added: July 2021

      • OM-5.5.11 OM-5.5.11

        The senior management must ensure that:

        (a) The licensee has identified clear internal ownership and classification for all information assets and data;
        (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
        (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
        (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM) to stay abreast of changing cyber security threats and countermeasures.
        Added: July 2021

        • OM-5.5.12

          With respect to Subparagraph OM-5.5.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

          a) Who has access to the data;
          b) How the data is secured;
          c) How long the data is retained (this includes backups);
          d) What method should be used to dispose of the data;
          e) Whether the data needs to be encrypted; and
          f) What use of the data is appropriate.

          The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

          Added: July 2021