Back Custom print Link Text Only Rich Text Print

  • Prevention

    • CRA-5.8.8

      A licensee must conduct regular assessments as part of the licensee's compliance programme to identify potential vulnerabilities and cyber security threats in its operating environment which could undermine the security, confidentiality, availability and integrity of the information assets, systems and networks.

      Amended: January 2020
      Added: April 2019

    • CRA-5.8.9

      The assessment of the vulnerabilities of the licensee's operating environment must be comprehensive, including making an assessment of potential vulnerabilities relating to the personnel, parties with whom a licensee deals with, systems and technologies adopted, business processes and outsourcing arrangements.

      Added: April 2019

    • CRA-5.8.10

      A licensee must develop and implement preventive measures to minimise the licensee's exposure to cyber security risk.

      Added: April 2019

    • CRA-5.8.11

      Preventive measures referred to in Paragraph CRA-5.8.10 above must include, at a minimum, the following:

      (a) Deployment of End Point Protection (EPP) and End Point Detection and Response (EDR) including anti-virus software and malware programs to detect, prevent and isolate malicious code;
      (b) Layering systems and systems components;
      (c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
      (d) Rigorous testing at software development stage as well as after deployment to limit the number of vulnerabilities;
      (e) Penetration testing of existing systems and networks;
      (f) Use of authority matrix to limit privileged internal or external access rights to systems and data;
      (g) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
      (h) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
      (i) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
      (j) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.
      Amended: April 2023
      Added: April 2019

    • CRA-5.8.11A

      Licensees should also implement the following prevention controls in the following areas:

      (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
      (b) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
      (c) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.
      Added: April 2023

    • CRA-5.8.11B

      Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

      (a) SPF “Sender Policy Framework”;
      (b) DKIM “Domain Keys Identified Mail”; and
      (c) DMARC “Domain-based Message Authentication, Reporting and Conformance”.
      Added: April 2023

    • CRA-5.8.11C

      Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

      Added: April 2023

    • CRA-5.8.11D

      Licensees must use a single unified private email domain or its subdomains for communication with clients to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with clients. The email domains must comply with the requirements of Paragraph OM-5.8.11B with respect to SPF, DKIM and DMARC.

      Added: April 2023

    • CRA-5.8.11E

      For the purpose of Paragraph CRA-5.8.11D, licensees with subsidiaries or branches outside Bahrain will be allowed to use additional domains subject to CBB’s review. Licensees may be allowed, subject to CBB’s review, for their clients to receive emails from third-party service providers for specific services offered by such third-parties provided the clients were informed and agreed on such an arrangement. Examples of such third-party services include informational subscription services and document management services.

      Added: April 2023

    • CRA-5.8.11F

      Licensees must comply with the following requirements with respect to URLs or other clickable links in communications with clients:

      (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of client request or action. Examples of such client actions include verification links for client onboarding, payment links for client-initiated transactions etc;
      (b) Refrain from using shortened links in communication with clients;
      (c) Implement measures to allow clients to verify the legitimacy of the links which may include:
      (i) clear instructions on the licensee’s website/app where the link is sent as a result of client action on the licensee’s website/app;
      (ii) communication with client such as a phone call informing the client to expect a link from the licensee;
      (iii) provision of transaction details such as the transaction amount and merchant name in the message sent to the client with the link;
      (iv) use of other verification measures like OTP, password or biometric authentication; and
      (d) Create client awareness campaigns to educate their clients on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to clients that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result client request or action. Licensees may also train their clients by sending fake phishing messages.
      Added: April 2023

    • CRA-5.8.12

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019

    • CRA-5.8.13

      [This Paragraph was deleted in April 2023].

      Deleted: April 2023
      Added: April 2019