OM-5.5.18

Entire section

Link

Print

Location:

A Islamic bank licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

(a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;

(b) Data leakage prevention solutions to detect and prevent confidential data from leaving the licensee’s technology environment;

(c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;

(d) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;

(e) Use of Privileged Access Management (PAM) to secure, control, manage and monitor privileged access to critical assets;

(f) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);

(g) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;

(h) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems;

(i) Use of mobile device management solutions including implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to bank systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement; and

(j) Network access control to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum security requirements defined for licensee computer systems; and

(k) Identity and access management solutions to limit the exploitation and monitor the use of privileged and non-privileged accounts.

Added: July 2021