Back Custom print Link Text Only Rich Text Print

  • CRA-5.3 CRA-5.3 Security Measures and Procedures

    • CRA-5.3.1

      Licensees must have measures and procedures in place which comply with network security best practices (e.g., the implementation of firewalls, the regular changing of passwords and encryption of data in transit and at rest). Updates and patches to all systems, particularly security systems, must be performed as soon as safely feasible after such updates and patches have been released.

      Added: April 2019

    • CRA-5.3.2

      The IT infrastructures must provide strong layered security and ensure elimination of "single points of failure". Licensees must maintain IT infrastructure security policies, describing in particular how strong layered security is provided and how "single points of failure" are eliminated. IT infrastructures must be strong enough to resist, without significant loss to clients, a number of scenarios, including but not limited to: accidental destruction or breach of a single facility, collusion or leakage of information by employees/former employees within a single office premise, successful hack of a cryptographic module or server, or access by hackers of any single set of encryption/decryption keys.

      Added: April 2019

    • CRA-5.3.3

      Licensees must regularly test security systems and processes. System components, processes, and custom software must be tested frequently to ensure security controls continue to reflect a changing environment.

      Added: April 2019

    • CRA-5.3.4

      Licensees must have in place policies and procedures that address information security for all staff sets the security tone for the whole entity and informs staff what is expected of them. All staff should be aware of the sensitivity of data and their responsibilities for protecting it.

      Amended: April 2023
      Added: April 2019

    • CRA-5.3.5

      The encryption of data, both at rest and in transit, including consideration of API security (e.g. OAuth 2.0) should be included in the security policy. In particular, encryption and decryption of crypto-asset private keys should utilise encryption protocols, or use alternative algorithms that have broad acceptance with cyber security professionals. Critical cryptographic functions such as encryption, decryption, generation of private keys, and the use of digital signatures should only be performed within cryptographic modules complying with the highest, and ideally internationally recognised, applicable security standards.

      Amended: April 2023
      Added: April 2019

    • CRA-5.3.6

      Licensees must conduct regular security tests of their systems, network, and connections.

      Amended: January 2020
      Added: April 2019