Back Custom print Link Text Only Rich Text Print

  • Roles and Responsibilities of the Management

    • CRA-5.8.4

      The management is responsible for:

      (a) Establishing and implementing cyber security policies and procedures that commensurate with the level of cyber security risk exposure and its impact on the licensee. These policies and procedures must take into account the following:
      (i) The sensitivity and confidentiality of data which the licensee maintains;
      (ii) Vulnerabilities of the licensee's information systems and operating environment across the licensee; and
      (iii) The existing and emerging cyber security threats.
      (b) ensuring that employees, agents (where relevant) and third party service providers are aware and understand the cyber security risk policies and procedures, the possible impact of various cyber security threats and their respective roles in managing such threats;
      (c) recommending to the board on appropriate strategies and measures to manage cyber security risk, including making necessary changes to existing policies and procedures, as appropriate; and
      (d) reporting to the board of any cyber security breaches and periodically update the board on emerging cyber security threats and their potential impact on the entity.
      Amended: April 2023
      Amended: January 2020
      Added: April 2019

    • CRA-5.8.4A

      Management must ensure that:

      (a) The licensee has identified clear internal ownership and classification for all information assets and data;
      (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
      (c) Employees responsible for cyber security are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls; and
      (d) It provides and requires employees involved in cyber security to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
      Added: April 2023

    • CRA-5.8.4B

      With respect to Paragraph CRA-5.8.4A(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects should be determined:

      (a) Who has access to the data;
      (b) How the data is secured;
      (c) How long the data is retained (this includes backups);
      (d) What method should be used to dispose of the data;
      (e) Whether the data needs to be encrypted; and
      (f) What use of the data is appropriate.

      The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. The owner of data (i.e. the relevant business function) should be involved in such classification.

      Added: April 2023