Example: barber

CYBER & INFORMATION SECURITY DIRECTIVE

BANK OF GHANA. CYBER &. INFORMATION . SECURITY . DIRECTIVE . OCTOBER 2018. PREFACE. In recent years, CYBER -related systems and networks have been playing an increasing role in the financial sector. The financial sector relies on these infrastructures for processing transactions and transferring funds which has made them attractive and susceptible targets for CYBER -attacks. Being high-profile targets creates a distinct challenge for financial institutions, since they must strike an optimal balance between SECURITY and maintaining efficient and reliable operations for their customers.

security and maintaining efficient and reliable operations for their customers. Today, cybercrime poses a real and persistent threat to financial institutions of all sizes and the number of companies that fall victim to cybercrime and digital espionage continues to rise. ... information security threats and countermeasures with reference to the

Tags:

  Security, Threats, Pose, Security threat

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of CYBER & INFORMATION SECURITY DIRECTIVE

1 BANK OF GHANA. CYBER &. INFORMATION . SECURITY . DIRECTIVE . OCTOBER 2018. PREFACE. In recent years, CYBER -related systems and networks have been playing an increasing role in the financial sector. The financial sector relies on these infrastructures for processing transactions and transferring funds which has made them attractive and susceptible targets for CYBER -attacks. Being high-profile targets creates a distinct challenge for financial institutions, since they must strike an optimal balance between SECURITY and maintaining efficient and reliable operations for their customers.

2 Today, cybercrime poses a real and persistent threat to financial institutions of all sizes and the number of companies that fall victim to cybercrime and digital espionage continues to rise. In fact, the financial services sector and its customers are heavily targeted by all those actors. Furthermore, the threat environment has become more sophisticated and diverse. In recent times, CYBER criminals have managed to bypass SECURITY controls and to exploit breaches or vulnerabilities within the CYBER and INFORMATION SECURITY defences of financial systems.

3 This document provides a framework for establishing CYBER and INFORMATION SECURITY protocols and procedures for; routine and emergency scenarios, delegation of responsibilities, inter- and intra-company communication and cooperation, coordination with government authorities, establishment of reporting mechanisms, physical SECURITY measures for IT Datacentres and Control Rooms, and assurance of data and network SECURITY . Page |2. CYBER & INFORMATION SECURITY DIRECTIVE . ARRANGEMENT OF SECTIONS. Section PART I PRELIMINARY MATTERS.

4 7. 1. Objective .. 7. 2. 8. 3. Obligations of Regulated 8. PART II GOVERNANCE .. 10. 4. The Board .. 10. 5. The Senior 10. 6. Internal 12. 7. Appointment .. 13. 8. Status in the Institutional Hierarchy .. 13. 9. Responsibilities .. 13. PART IV CYBER SECURITY RISK MANAGEMENT .. 16. CYBER and INFORMATION SECURITY Policy and Procedures .. 16. 10. Policy .. 16. 11. Procedures .. 18. 12. The CYBER and INFORMATION SECURITY Risk Management Steering 18. CYBER and INFORMATION SECURITY Management Framework.

5 20. 13. Risk Management .. 20. 14. Risk 21. 15. Risk Assessments .. 22. 16. Risk Mitigation .. 24. 17. Risk Monitoring and Reporting .. 25. PART V ASSET MANAGEMENT .. 26. 18. Inventory .. 26..91 Ownership .. 26..02 Acceptable Use .. 27. 21. Asset Mapping and Classification .. 27. PART VI CYBER DEFENCE .. 28. Page |3. 22. SECURITY Infrastructure .. 28. 23. Architecture .. 30. 24. Network 32. 25. Network Management .. 32. 26. Encryption .. 33. 27. Media Encryption .. 34. 28. Remote Access .. 34. 29. Internet 35.

6 30. Websites and Web Applications Protection .. 36. 31. Access Control and 37. 32. Biometric Authentication .. 37. 33. Compartmentalization and Permissions .. 38. 34. Servers and Workstations .. 39. 35. Databases .. 40. 36. Software INFORMATION SECURITY .. 40. 37. Auditing .. 41. 38. Incident Preparedness .. 43. 39. Research .. 44. PART VII CYBER RESPONSE .. 46. 40. Structure and Hierarchy .. 46. 41. SECURITY INFORMATION and Event Management (SIEM) .. 48. 42. SECURITY Operations Centre (SOC) Situation Room (War Room).

7 49. 43. 50. 44. Intelligence .. 51. 45. Data Mining .. 51. 46. Reporting to the BoG .. 52. PART VIII EMPLOYEE ACCESS TO ICT SYSTEMS .. 54. 47. Access Control .. 54. Channels of Communication with External Entities .. 55. 48. Data Transfer between Sites and 55. 49. Web Access .. 56. 50. 58. Mobile 59. 51. Bring your own device (BYOD) .. 59. Page |4. 52. Institutional mobile device .. 61. PART IX ELECTRONIC BANKING SERVICES .. 62. 53. 62. 54. Subscribing to Electronic Banking Services .. 64. 55. Identification and Authentication.

8 64. Online Services .. 65. 56. Website .. 65. 57. Mobile Applications .. 67. 58. 68. 59. Telephony Services .. 69. (1) Call centre .. 69. (2) Fax .. 71. (3) Text messages (SMS).. 71. 60. Customer SECURITY .. 72. 61. Passwords and Password Management .. 73. PART X TRAINING, AWARENESS AND COMPETENCE .. 75. 62. Sensitive 75. 63. New Employee .. 75. 64. New 76. 65. CYBER Education .. 77. 66. CYBER Exercises .. 77. PART XI EXTERNAL 79. 67. Direct 79. 68. Other Financial and non-institutions .. 81. 69. Business Partners.

9 81. 70. Remote Access .. 82. 71. External Parties .. 84. 72. Data in Motion .. 85. PART XII CLOUD SERVICES .. 86. 73. Corporate 86. 74. Risk Management .. 87. 75. The Cloud Computing Service Contract .. 88. 76. Institutional Application Development .. 89. 77. Promotional Material .. 89. Page |5. PART XIII BANKS WITH INTERNATIONAL AFFILIATION .. 90..87 Foreign Banks in 90. 79. Ghanaian Banks Abroad .. 91. PART XIV PHYSICAL SECURITY .. 92. 80. 92. 81. Secured Zones .. 92. 82. Segmentation .. 93. 83. Physical SECURITY of Hardware and Other Equipment.

10 94. PART XV HUMAN RESOURCE MANAGEMENT .. 95. 84. Hiring .. 95. 85. 96. 86. Sensitive 97. 87. Employee Lifecycle .. 98. PART XVI CONTRACTUAL 99. 88. CYBER SECURITY Contracts .. 99. PART XVII INTERPRETATION .. 103. PART XVIII ANNEX A - IMPLEMENTATION SCHEDULE .. 127. PART XIX Annex B - Enhanced Competency Framework .. 129. 89. Guide to Enhanced Competency Framework (ECF) on CYBER 129. PART XX Annex C Return on CYBER SECURITY Incidents .. 131. 90. Return on CYBER and INFORMATION SECURITY Incidents .. 131.


Related search queries