APPENDIX 75B

IT RISK MANAGEMENT STANDARDS AND GUIDELINES

Area: Information Security

1. Introduction

1.1. Information is one of the most important assets of all BSIs. Timely and reliable information is
necessary to process their transactions and support critical decisions. Protection of information assets is
also necessary to establish and maintain trust between the BSIs and their customers, maintain
compliance with laws and regulations and protect reputation. Likewise, effective management of
information risks and exposures — as well as opportunities — can directly affect the BSIs' profitability
and overall value.

1.2. Information security (IS) has become a critical business function and an essential component of
governance and management affecting all aspects of the business environment. Effective IS controls are
necessary to ensure the confidentiality, integrity and availability of IT resources and their associated
data. These assets should be adequately protected from unauthorized access, deliberate misuse or
fraudulent modification, insertion, deletion, substitution, suppression or disclosure. To achieve these
objectives, BSIs should establish an IS program to manage the risks identified through their assessment,
commensurate with the sensitivity of the information and the complexity of their IT risk profile.
Management may consider a variety of policies, procedures, and technical controls and adopt measures
that appropriately address identified risks.

2. Roles and Responsibilities

2.1. Board of Directors (Board) and Senior Management. The Board, or an appropriate Board
committee, is responsible for overseeing the development, implementation, and maintenance of the
BSI's IS program, and making senior management accountable for its actions. The Board should approve
written IS policies and receive periodic report on the effectiveness of the IS program. The IS policy
should be communicated to all employees and relevant external parties and be reviewed at planned
intervals to ensure its continuing suitability, adequacy and effectiveness. The policy should include a
formal disciplinary process and the corresponding actions for those who have committed security
violations.

Senior management should appoint an information security officer (ISO) who will be responsible
and accountable for the organization-wide IS program. The duly appointed ISO should have sufficient
knowledge, background, and training, as well as organizational position, to enable him to perform
assigned tasks. To ensure appropriate segregation of duties, the ISO should report directly to the Board
or to senior management and have sufficient independence to perform his mandate. The ISO should
perform the tasks of a risk manager and not a production resource assigned to the IT department. In the
case of BSIs with simple IT risk profile, The ISO function may be assigned to an existing independent
officer who meets the above qualifications.

3. Information Security Standards

3.1. IS Risk Assessment. The BSI should conduct periodic security risk assessment to identify and
understand risks on confidentiality, integrity and availability of information and IT systems based on a
current and detailed knowledge of the BSI's operating and business environments. The risk assessment
should include an identification of information and IT resources to be protected and their potential
threats and vulnerabilities. An effective risk assessment process involves three phases, namely:
information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to
the process.

Once the risks associated with threats and vulnerabilities have been assessed, probabilities
assigned, and risks rated, the BSI should segregate the risks into those the BSI is willing to accept and
those that should be mitigated. Once the BSI identifies the risks to mitigate, it can begin to develop its
risk mitigation strategy which should be an integral component of the IS program.

3.2. Security Controls Implementation

3.2.1. Asset Classification and Control. The BSI should maintain an inventory of all information assets
and identify the information owner who shall be responsible in ensuring confidentiality, integrity and
protection of these assets. Management should implement an information classification strategy in
accordance with the degree of sensitivity and criticality of information assets to the BSI. To ensure
consistent protection of information and other critical data throughout the system, the BSI should
develop guidelines and definitions for each classification and define an appropriate set of controls and
procedures for information protection in accordance with the classification scheme.

Protection of information confidentiality should be in place regardless of the media 11 (including

paper and electronic media) in which the information is maintained. The BSI should ensure that all
media are adequately protected, and establish secure processes for disposal and destruction of sensitive
information in both paper and electronic media.

3.2.2. Physical and Environmental Protection. Physical security measures should be in place to protect
computer facilities and equipment from damage or unauthorized access. Critical information processing
facilities should be housed in secure areas such as data centers and network equipment rooms with
appropriate security barriers and entry controls. Access to these areas should be restricted to authorized
personnel only and the access rights should be reviewed and updated regularly. Buildings should give
minimum indication of their purpose, with no obvious signs identifying the presence of information
processing facilities.

The BSI should fully consider the environmental threats (e.g., proximity to dangerous factories)
when selecting the locations of its data centers.

Moreover, physical and environmental controls should be implemented to monitor

environmental conditions which could adversely affect the operation of information processing facilities
(e.g., fire, explosives, smoke, temperature, water and dust). Equipment and facilities should be
protected from power failures and electrical supply interference by, for example, installing
uninterruptible power supply (UPS) and a backup generator.

3.2.3. Security Administration and Monitoring. A security administration function and a set of formal
procedures should be established for administering the allocation of access rights to system resources
12 and application systems, and monitoring the use of system resources to detect any unusual or
unauthorized activities.

Proper segregation of duties within the security administration function or other compensating
controls (e.g., peer reviews) should be in place to mitigate the risk of unauthorized activities being
performed by the security administration function. In those cases where complete segregation of duties
is impractical, management should use mitigating controls, such as ensuring a knowledgeable third-
party conducts appropriate independent reviews of security administration activities. In smaller
institutions, a manager or senior officer who is not involved in the security administration function may
conduct this independent review.

Management should employ the "least privilege" principle throughout IT operations. The
principle provides that individuals should only have privileges on systems and access to functions that
are required to perform their job function and assigned tasks. Individuals with systems and security
administrator roles and privileges should have minimal transactional authority. Independent employees
should monitor the system and security administrator activity logs for unauthorized activity.
Management at smaller institutions should establish compensating controls in these circumstances.
aASDTE

3.2.4. Authentication 13 and Access Control. Access rights and system privileges must be based on job
responsibility and the necessity to have them to fulfill one's duties. No person by virtue of rank or
position should have any intrinsic right to access confidential data, applications, system resources or
facilities. Only employees with proper authorization 14 should be allowed to access confidential
information and use system resources solely for legitimate purposes.

The BSI should have an effective process to manage user authentication and access control.
Appropriate user authentication mechanism commensurate with the classification of information to be
accessed should be selected. The grant, modification and removal of user access rights should be
approved by the information owner prior to implementation. A user access re-certification process
should be conducted periodically to ensure that user access rights remain appropriate and obsolete user
accounts have been removed from the systems.

Users who can access internal systems should be required to sign an acceptable-use policy (AUP)
before using a system. An AUP is a key control for user awareness and administrative policing of system
activities which details the permitted system uses and user activities and the consequences of non-
compliance.

The BSI should implement effective password rules to ensure that easy-to-guess passwords are
avoided and passwords are changed on a periodic basis. Stronger authentication methods should be
adopted for transactions/activities of higher risk (e.g., payment transactions, financial messages and
mobile computing).

Default user accounts to new software and hardware should either be disabled, or the
authentication to the account should be changed. Additionally, access to these default accounts should
be monitored more closely than other accounts. In the same manner, authorization for privileged access
should be tightly controlled as it gives the user the ability to override system or application controls.
Extra care should be exercised when controlling the use of and access to privileged and emergency IDs.
The necessary control procedures include: I

• Granting of authorities that are strictly necessary to privileged and emergency IDs;

• Formal approval by appropriate personnel prior to being released for usage;

• Monitoring of activities performed by privileged and emergency IDs (e.g., peer reviews of
activity logs);

• Proper safeguard of privileged and emergency IDs and passwords (e.g., kept in a sealed
envelope and locked up inside the data center); and
• Change of privileged and emergency IDs' passwords immediately upon return by the requesters.

3.2.5. System Security. The following control procedures and baseline security requirements should be
developed to safeguard operating systems, system software and databases, 15 among others:

• Clear definition of a set of access privilege for different groups of users and access to data and
programs is controlled by appropriate methods of identification and authentication of users together
with proper authorization;

• Secure configuration of operating systems, system software, databases and servers to meet the
intended uses with all unnecessary services and programs disabled or removed. Use of security tools
should be considered to strengthen the security of critical systems and servers;

• Periodic checking of the integrity of static data (e.g., system parameters) to detect unauthorized
changes;

• Clear establishment of responsibilities to ensure that the necessary patches and security
updates developed from time to time by relevant vendors are identified, assessed, tested and applied to
the systems in a timely manner; cCSEaA

• Adequate documentation of all configurations and settings of operating systems, system

software, databases and servers; and

• Adequate logging and monitoring of system and user activities to detect irregularities and logs
are securely protected from manipulation.

3.2.6. Network Security. Networks provide system access and connectivity between business units,
affiliates, service providers, business partners, customers, and the public. This increased connectivity
requires additional controls to segregate and restrict access between various groups and information
users. The BSI must evaluate and implement appropriate controls relative to the complexity of its
network. An effective approach to adequately secure system and data within the network involves the
following, among others:

• Grouping of network servers, applications, data, and users into security domains (e.g., untrusted
external networks, external service providers, or various internal user systems);

• Establishment of appropriate access requirements within and between each security domain;

• Implementation of appropriate technological controls to meet access requirements consistently;

and

• Monitoring of cross-domain access for security policy violations and anomalous activity.

The BSI should consider the following factors in determining the network security controls
appropriate to the institution and each of the security domain, among others:

• Criticality of the application and the user group within the domain; ScCIaA

• Access points to the domain through various communication channels;

• Network protocols and ports used by the applications and network equipment deployed within
the domain;
• Performance requirement or benchmark;

• Nature of domain (i.e., production or testing, internal or external);

• Connectivity between/among various domains; and

• Trustworthiness of the domain.

3.2.7. Remote Access. Controls over remote access are required to manage risk brought about by
external connections to the BSI's network and computing resources. In protecting information, the BSI
should establish control procedures covering:

• Approval process on user requests;

• Authentication controls for remote access to networks, host data and/or systems;

• Protection (e.g., against theft and malicious software) of equipment and devices;

• Logging and monitoring all remote access communications; and

• Provision of more stringent security controls (i.e., data encryption, two-factor authentication
process).

3.2.8. Encryption. The BSI should adopt industry-accepted cryptographic solutions and implement
sound key management practices to safeguard the associated cryptographic keys. Sound practices of key
management generally include the following, among others: SaAcHE

• Provision of a secure control environment for generation, distribution, storage, entry, use and
archiving of cryptographic keys to safeguard against modification and unauthorized disclosure. In
particular, the use of tamper-resistant storage is recommended to prevent the disclosure of the
cryptographic keys; and

• Adequate off-site back-up and contingency arrangements for cryptographic keys which are
subject to the same security controls as the production cryptographic keys.

3.2.9. Malicious Code 16 Prevention. The BSI should provide protection against the risk of malicious
code by implementing appropriate controls at the host and network level to prevent and detect
malicious code, as well as engage in appropriate user education. Procedures and responsibilities should
be established to detect, prevent, and recover from attacks. The BSI should put in place adequate
controls, such as:

• Prohibiting the download and use of unauthorized files and software, and access to doubtful
web sites;

• Installation and timely update of anti-virus software 17 provided by reputable vendors; and

• Disallowing the download of executable files and mobile codes, especially those with known
vulnerabilities (e.g., through the use of corporate firewalls 18 and proper configuration of the browser
software); and

• Prompt and regular virus scanning of all computing devices and mobile users' computers, and
procedures for recovering from virus infections.
3.2.10. Personnel Security. The BSI should have a process to verify job application information on all
new employees. Screening procedures, including verification and background checks, should be
developed for recruitment of permanent and temporary IT staff, and contractors, particularly for
sensitive IT-related jobs or access level. cSICHD

Management should obtain signed confidentiality, non-disclosure and authorized use

agreements before granting new employees and contractors access to IT systems. Such agreements put
all parties on notice that the BSI owns its information, expects strict confidentiality, and prohibits
information sharing outside legitimate business needs.

All employees of the organization and, where relevant, contractors and third-party users, shall
receive appropriate IS awareness training and regular updates in organizational policies and procedures
relevant to their job function. Security training and awareness promotes a security conscious
environment and strengthens compliance with BSI's security policies, standards, and procedures.

3.2.11. Systems Development, Acquisition and Maintenance. A framework should be in place describing
the tasks and processes for development or acquisition of new systems, assignment and delineation of
responsibilities and accountabilities for system deliverables and project milestones. User functional
requirements, systems design and technical specifications and service performance expectations should
be adequately documented and approved at appropriate management levels.

The BSI's development, acquisition, and audit policies should include guidelines describing the
involvement of internal audit and information security personnel in the development or acquisition
activities as a means of independently verifying the adequacy of the control and security requirements
as they are developed and implemented.

Besides business functionalities, security requirements relating to system access control,

authentication, transaction authorization, data integrity, system activity logging, audit trail, security
event tracking and exception handling should be clearly specified. The information and/or process
owners should conform to the security requirements for each new system or system acquisition, accept
tests against the requirements, and approve implementation of systems in the production environment.
IDcTEA

The BSI should have an effective process to introduce application and system changes into its
respective environments. The process should encompass development, implementation, and testing of
changes to both internally developed software and acquired software. Weak procedures can corrupt
applications and introduce new security vulnerabilities.

3.2.12. Insurance. While insurance coverage is an effective method to transfer risks from the BSI to
insurance carriers, the same is not a substitute for an effective IS program. When considering
supplemental insurance coverage for security incidents, the BSI should assess the specific threats in light
of the impact these incidents will have on its financial, operational, and reputation risk profiles. The BSI
should carefully evaluate the extent and availability of coverage in relation to the specific risks they are
seeking to mitigate. In case the BSI contracts for additional coverage, it should ensure that it is aware of
and prepared to comply with any required security controls both at inception of the coverage and over
the term of the policy.

3.3. Security Process Monitoring and Updating

3.3.1. Activity Monitoring. The BSI should gain assurance of the adequacy of its risk mitigation strategy
and implementation by monitoring network and host activity to identify policy violations and anomalous
behavior. The BSI's security monitoring should, commensurate with the risk, be able to identify control
failures before a security incident occurs, detect an intrusion or other security incident in sufficient time
to enable an effective and timely response, and support post-event forensics activities.

The analysis and response to activity and condition monitoring is performed differently at BSIs
of different IT risk profile. A simple BSI may assign operational personnel to the analysis and response
function while a complex BSI may maintain a security response center that receives and analyzes the
data flows as activity occurs. Additionally, BSIs, regardless of IT risk profile, may outsource various
aspects of the analysis and response function, such as activity monitoring. Outsourcing does not relieve
the BSI of the responsibility for ensuring that control failures are identified before a security incident
occurs, an intrusion or other security incident is detected in sufficient time to enable an effective and
timely response, and post event forensics activities are supported. ASaTHc

3.3.2. IS Incident Management. The BSI should establish incident response and reporting procedures
to handle IS-related incidents. All employees, contractors and third party users shall be required to note
and report any observed or suspected security weaknesses in systems. An effective incident response
program includes the following components, among others:

• A mechanism to log, monitor and quantify the nature, criticality and estimated cost of IS
incidents.

• Assessment of the nature and scope of the incident and identification of what information has
been accessed or misused;

• Measures to contain and control the incident to prevent further unauthorized access to or
misuse of information, while preserving records and other evidence;

• Prompt notification to BSP of any confirmed IT-related fraud cases or major security breaches,
consistent with existing regulations;

• Notification to appropriate law enforcement authorities in situations involving criminal

violations requiring immediate attention; and

• Notification to customers when warranted.

Log files are critical to the successful investigation and prosecution of security incidents and can
potentially contain sensitive information. Therefore, the BSI should strictly control and monitor access to
log files whether on the host or in a centralized logging facility.

Where a follow-up action against a person or organization after an IS incident involves legal
action, evidence shall be collected, retained, and presented to conform to the rules for evidence laid
down in the relevant jurisdiction.

3.3.3. Ongoing risk assessment. The BSI should continuously gather and analyze information regarding
new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the
existing security controls. It should evaluate the information gathered to determine the extent of any
required adjustments to the various components of the IS program. Depending on the nature of
changing environment, the BSI needs to reassess the risk and make changes to its security process (e.g.,
security strategy, controls implementation or security monitoring requirements).

The BSI should adjust its IS program to reflect the results of ongoing risk assessment and the key
controls necessary to safeguard customer information and ensure the proper disposal of customer
information. It should adjust the program to take into account changes in IT, sensitivity of its customer
information, internal or external threats, and the BSI's own changing business arrangements such as
mergers, acquisitions, alliances and joint ventures, outsourcing arrangements, and changes in customer
information systems.

4. Roles of IT Audit and Security Specialists

4.1. Audit and Compliance Reviews. IT auditors are usually charged to assess, on a regular basis, the
effectiveness of a BSI's IS security program. To fulfill this task, they must have an understanding of the
protection schemes, the security framework and the related issues, including compliance with
applicable laws and regulations.

The BSI should engage independent security specialists to assess the strengths and weaknesses
of critical applications, systems and networks prior to initial implementation.

For BSIs providing electronic and similar services, annual vulnerability assessment 19 and
penetration testing 20 should be performed by an external party to provide early identification of
threats and vulnerabilities so that appropriate security measures can immediately be implemented.
TEDaAc