CRA-5.8.25
Past version: Effective from 01 Apr 2019 to 31 Dec 2019
To view other versions open the versions tab on the right
The cyber security policy referred to in Rule CRA-5.8.5 must, at a minimum, include audit functions as set forth below.
(a) Penetration testing: A licensee must conduct penetration testing of its electronic systems, at least annually, and vulnerability assessment of those systems, at least quarterly.
(b) Audit trail: A licensee must maintain audit trail systems that:
(i) track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting;
(ii) protect the integrity of data stored and maintained as part of the audit trail from alteration or tampering;
(iii) protect the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction;
(iv) log system events including, at minimum, access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems; and
(v) maintain records produced as part of the audit trail in accordance with the recordkeeping requirements set forth in this Section.
Added: April 2019