This policy is in compliance with BSP MORB 148 IT Risk Management, Appendix 75 (Information Security Standards and Guidelines) - https://morb.bsp.gov.ph/appendix-75/
Purpose
The purpose of the Cybersecurity policy are:
To establish the cybersecurity framework of the Bank.
To establish a strong cybersecurity culture.
To align business objectives and cybersecurity best practices.
Objective
To achieve its purpose, SaFi Bank, referred to as “The Bank”, aims implement these objectives:
Organize and structure cybersecurity processes across the Bank.
Educate employees and customers about cybersecurity.
Align the Bank operations and processes to adapt cybersecurity practices.
Minimize the impact of security threats by preventive strategy.
Scope
This policy shall apply to SaFi Bank.
This policy shall cover provisions and guidelines on cybersecurity framework which includes standards and guidelines in managing cybersecurity risks.
This policy establishes the roles and responsibilities to the management of cybersecurity risks.
Policy
Security Governance
Principles
Understand cybersecurity risks within the organization’s people, process, and technology.
Prioritize based on organizational risk appetite.
Decision must be based on cybersecurity risk appetite.
Educate everyone as security is everyones responsibility.
Roles and Responsibilities
Head of IT Security.
Overall driver of the Security Governance.
Understands the cybersecurity posture of the Bank.
Creates strategic plan and cybersecurity programs to address the residual risks of the Bank.
Presents and secures the vet and approval of the Management to strategic plan and cybersecurity programs.
Head of Application Security
Supports the Head of IT Security to enable the Security Governance policy from external threats to the Bank.
Head of Internal Security
Supports the Head of IT Security to enable the Security Governance policy from internal threats to the Bank.
Statement of Policy
Head of IT Security should develop a common understanding of the Bank security posture.
Head of IT Security should perform a regular cybersecurity assessment to the Bank within its people, process, and technologies.
Cybersecurity assessment should consider the Business Impact Analysis (BIA) results conducted by business units driven by Operational Risk Management (ORM) and IT for Disaster Recovery (DR).
Threat modeling should be performed for all gaps, threats, and vulnerabilities found from the assessment.
Risk Assessment should be performed based on the threat modeling results.
Results of risk assessment should be addressed based on the level and severity of its residual risk.
Head of IT Security should present the risks found on the cybersecurity assessment to the Management and secure their veto and approval on the set of risks in order to determine their risk appetite.
Head of IT Security should document the risks and store them in a secure and accessible location.
Head of IT Security should create a strategic plan to address the risks.
Strategic plan should prioritize the risks with higher residual risk level and severity. The plan should have a roadmap to address the risks in order for the management to guide and understand the current cybersecurity posture of the Bank.
Head of IT Security should develop a cybersecurity program to implement the strategic plan.
Cybersecurity program should align with business needs and strategies of the Bank and flexible to address the changing security posture due to emerging threats.
The program should be measurable by its desired output through metrics which serves as decision making parameter for the Management.
Head of IT Security should regularly update the program according to the Bank needs and strategies.
Head of IT Security should regularly present the program including its progress, changes, and action plans to the Management and secure their vet and approval.
Head of IT Security should document the program and store them in a secure and accessible location.
Head of IT Security should develop an awareness program to educate the Bank employees and its customers for the cybersecurity policy.
Head of IT Security should lead the awareness program and establish training academy to facilitate cybersecurity education.
Strategy
A “Shift left” strategy will be used as the Bank’s overall proactive strategy for cybersecurity. It’s a preventive approach called “designed for security” to manage cybersecurity risks. This strategy embed security right where the development of products and services started rather than a mitigation approach wherein the security is implemented right after the developed products and services.
A “Risk based response” strategy will be used as the Bank’s overall reactive strategy for cybersecurity. It’s a risk-driven approach to manage cybersecurity gaps, threats, and vulnerabilities found in the Bank. This strategy focuses on the risks rather than the severity of the issues. Higher the risks, the higher the priority.
Metrics
Residual risk ratings
This numerical metric describes the risks and its intensity with all the controls in place to mitigate the risk. It shows the current posture of the risk in the Bank operations.
Cybersecurity program KPIs
This numerical metrics describes the programs performance and shows current program status.
Strategic plan OKRs
This non-numerical metrics describes the strategic plan progress and current status.
Compliance
These regulatory standards required by the Bangko Sentral ng Pilipinas (BSP) in their MORB 148 for regulated banks.
Payment Card Industry Data Security Standards
Law on Secrecy of Bank Deposits (R.A. No. 1405)
Data Privacy Act of 2012 (R.A. No. 10173)
Awareness
Employee Awareness
This program focuses on employees of the Bank to educate them with specific security requirements designed for their role and job functions.
This program should be conducted regularly at least quarterly.
This program should focus on emerging threats and risks.
This program must be measurable for its effectiveness and Management oversight metrics.
Customer Awareness
This program focuses on customers of the Bank to educate them with specific security implementation designed to protect their accounts and secure their hard earned money.
This program should be conducted regularly at least quarterly.
This program should focus to educate customers how to protect their money by performing security best practices including using security features within the Bank designed to prevent security attacks.
This program must be measurable for its effectiveness and Management oversight metrics.
Training Academy
This program focuses on employees of the Bank to educate them with security best practices.
This program should serve as enabler to employees particularly those developing and offering products and services.
This program must be measurable for its effectiveness and Management oversight metrics.
Secure Design
Principles
Identify and understand the threats and risks within the design
Model the threats and its risks to know the current posture.
Develop security requirements to address the threats and its risks.
Include security requirements in the design architecture.
Roles and Responsibilities
Head of Architecture
Collaborate with Heads of Application and Internal Security to secure the entire Bank technology architecture.
Head of Technology
Collaborate with Heads of Application and Internal Security with Head of Architecture to implement security requirements in the development.
Head of Application Security
Driver of threat and risk analysis to Bank applications and external threats.
Head of Internal Security
Driver of threat and risk analysis to Bank equipments and internal threats.
Application Security Engineer
Performs the threat and risk analysis to Bank applications and external threats.
Internal Security Engineer
Performs the threat and risk analysis to Bank equipments and internal threats.
System Reliability Engineer and Developers
Implements the designed solution to business and security requirements.
Business owners
Review and sign threat and risk assessment.
Bank Management
Approve and sign threat and risk assessment.
Statement of Policy
New features due to new products and services should undergo threat and risks analysis.
Application Security Engineer should perform threat and risk analysis regularly to Bank applications, new features, products, services and external threats.
Head of Application Security should lead and oversight the threat and risk analysis performed by Application Security Engineers.
Internal Security Engineer should perform threat and risk analysis regularly to Bank equipments, software patches, and internal threats.
Head of Internal Security should lead and oversight the threat and risk analysis performed by Internal Security Engineers.
Head of Application Security and Internal Security including their engineers should identify security requirements based on threat and risk analysis.
Identified security requirements should be presented to Head of Architecture and Technology to incorporate the requirements in the solution design of products and services of the Bank.
Head of Technology should oversight the implementation of the requirements designed by Head of Architecture.
System Reliability Engineers and Developers should implement the requirements in the solution design.
Threat and Risk Assessment
Threat analysis should identify and measured its likelihood and impact of the threats to become a reality.
Risk analysis should identify and measured its likelihood and impact of the risks associated to the threat.
Assessment should identify the controls to mitigate the current posture of the threats and risks.
Controls should be measured to determine its effectiveness to determine the residual risks.
Residual risks should be the final risk rating of the threat and risks.
Complete threat and risks assessment results should be presented to the business owners of each application, process, product, and services by the security engineer who performs the assessment and its head.
Presented threat and risks assessment will be reviewed and signed by business owners.
Signed threat and risks assessment should be presented to the Management by the Head of Application or Internal Security for their approval of the risks.
Head of Application and Internal Security should document the signed assessment.
Security Requirements
Based on the signed threat and risks assessment, Head of Application or Internal Security along with the engineer who performs the assessment should identify appropriate solution to the residual risks.
Identified solutions will be used as security requirements to address the threat and risks.
Security requirements should be presented to CTO, Head of Architecture, Head of Technology, Head of SRE, and Head of Service Management to have a solution and design for its implementation in the current architecture.
After the implementation of the security requirements, threat and risks assessment document should be updated accordingly and re-present to business owners for signed review and Management for signed approval.
Secure Architecture
Security in the whole architecture should be on “blacklist by default” approach.
Each business requirements to enable an entity (e.g. service, application, process, etc.) in the current architecture should be “whitelisted only if provided with proper justification and approval”.
Heads of Application and Internal Security should document each whitelist request and maintain it for audit purposes.
Heads of Application and Internal Security should document an architecture diagram of the whole cybersecurity posture of the Bank. How they working together to secure the Bank processes for its customers and employees.
Heads of Application and Internal Security should work together with Head of Architecture to include security architecture in their overall technology architecture of the Bank.
Secure Implementation
Principles
Understand application components including its dependencies and process procedures.
Analyze security defects or gaps and enrich them with information to drive metrics-based decisions.
Manage the current cybersecurity posture of components, dependencies, and procedures.
Ensure the security and integrity of applications and processes are not compromised.
Ensure a secure working software and processes with minimum defects.
Roles and Responsibilities
Heads of Application and Internal Security
Drives the assessment of applications and processes for all Bank resources.
Head of Technology
Drives the mitigation or remediation of all security gaps, findings, and vulnerabilities within the applications.
Head of QA Testing
Drives the testing and verification strategies for the implementation.
Developers
Performs the needed implementation requirements.
Security Engineers
Identify, analyze, manage all found defects, gaps, vulnerabilities, application components and its dependencies, and process procedures.
Test the implemented mitigations if working.
Test Engineers
Validate the resolution should not impact business requirements on the software.
Business Owners
Set expected impact tolerances within the business requirements.
Statement of Policy
Security Engineers should identify and document all application components including its dependencies and process procedures.
Security Engineers should regularly analyze security defects, gaps, and vulnerabilities within the identified applications and processes and perform risk analysis.
Heads of Application and Internal Security with Heads of Technology and QA Testing should drive the implementation of mitigation or remediation of the found defects, gaps, and vulnerabilities to ensure secure environment.
Developers, Security Engineers, and Test Engineers should work together to design, develop, and test implementations to mitigate or remediate the defects, gaps, and vulnerabilities.
Application components, dependencies, and process procedures should come only from agreed framework and repository to ensure its integrity.
Heads of Application and Internal Security should maintain a low security risk posture of the Bank applications, products, services, and processes.
Business Owners ensure that desired level of tolerance due to impact of security resolutions is within the business requirements.
Secure Build
Every build should undergo Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) before loading to production.
Implement hardening procedures to every build.
Every release build should have no critical, high and medium severity vulnerabilities.
Every release build should have no High and Medium residual risk rating vulnerabilities.
Non-compliant build should fail and be fixed before loading to production.
Secure Deployment
Container Scanning, Cloud Scanning, and Kubernetes Scanning should be regularly performed in Development and Production Environment to ensure secure environment for the applications.
Every deployment should undergo security verification tests before and after loading to production (i.e., file integrity checks, container integrity checks)
Limit access to production secrets.
Production secrets should be changed regularly.
Ensure a proper role based access control audit logging.
Defect Management
Every security findings (i.e., defects, gaps, and vulnerabilities) should be organized in using structured tracking.
Every security findings should be rated using CVSSv3.1 to determine severity and Risk Assessment for its impact to the Bank.
Every security findings should have minimum baseline target mitigation or remediation dates.
Resolutions should prioritize higher risk rating vulnerability rather than higher severity ratings. (Risk > CVSS)
Resolutions should be tracked with how much time consumed to resolve the finding to be used as metrics.
Secure Verification
Principles
Applications, technology infrastructure, and business processes should meet all relevant security and compliance requirements.
Continuous security review process to evaluate effectiveness of the implemented security controls.
Build a set of security test and execute them regularly.
Opportunistically find vulnerabilities and other security issues through requirements-driven testing.
Ensure a common security testing baseline.
Perform manual security testing regularly.
Roles and Responsibilities
Security Engineers
Continuously performs security testing to find security threats, gaps, and vulnerabilities within the Bank in all its processes and technology
Head of Application Security
Drives security testing activities conducted on external perspectives.
Head of Internal Security
Drives security testing activities conducted on internal perspectives.
Business Owners
Review the impact of security testing to the business.
Statement of Policy
Security Engineers should develop a common security testing baseline for all security testing activities.
Security Engineers should regularly perform security testing to bank processes, applications, and architecture.
Security Engineers should also develop automated security testing scripts to improve security testing strategies.
Security Engineers should perform security testing on requirements-driven approach.
Security Testing activities should be reviewed by Business Owners to meet business requirements with security best practices.
Security Testing should be scheduled to appropriate business hours to mitigate or lessen its business impact.
Architecture Assessment
All application and infrastructure architecture should meet all relevant security and compliance requirements, and sufficiently mitigates identified security threats.
Architecture assessment activities should be conducted regularly to identify defect, gaps , or vulnerabilities.
Head of Application Security should create a view of the overall external security architecture and examine it for the correct provision of general security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management.
Head of Internal Security should should create a view of the overall internal security architecture and examine it for the correct provision of general security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management.
Requirements-driven Testing
All security testing should be performed using specific requirements.
Security testing requirements should have both positive and negative testing.
Negative testing checks the quality of the implementation of the security controls and aims to detect unexpected design flaws and implementation bugs through misuse and abuse testing.
Positive testing includes security regression test continuously.
Security Testing
Security Testing should be integrated into development process.
Security Testing should be performed in both manual and tool based testing.
Integrate tool based security testing in the build and deployment process.
Manual security testing should be performed to high-risk components.
Conduct manual penetration testing activities regularly.
Security Operations
Principles
Ensure confidentiality, integrity, and availability are maintained throughout the operational lifetime of an application and its associated data.
Ensure resiliency in the face of operational disruptions, and responsive to changes in the operational landscape.
A security incident is a “breach”, or the “threat” of an imminent breach, of at least one asset’s security goals, whether due to malicious or negligent behavior.
Roles and Responsibilities
Security Engineers
Manage security are maintained throughout the operational lifetime of Bank applications and its associated data.
Monitor for security breach.
Validate the occurrence of a breach.
Raise incident alert for detected breach within the Bank resources.
Verify the mitigation or remediation of a breach.
Head of Application Security
Drive the management of security throughout the operational lifecycle of Bank application.
Head of Internal Security
Drive the management of security throughout the SIEM, EDR, physical access, internal network, and equipments.
Head of Security
Oversight the security management and its operations in the Bank.
Incident Manager
Manage the incident and drives the incident management team to resolve it as soon as possible.
Developers
Implement required mitigation or remediation steps to resolve the incident.
Test Engineers
Verify the mitigation or remediation has limited impact to the business operations.
Ensure the business operation is properly working as it should after the mitigation or remediation.
Business Owners
Review the changes due to mitigation or remediation is acceptable in business perspective.
Virtual Security Operations Team (vSecOps)
Monitor the realtime security posture of the Bank in SIEM.
Composes of Heads of Application and Internal Security and Security Engineers.
Statement of Policy
Heads of Application and Internal Security should establish a virtual Security Operations Team (vSecOps).
vSecOps Team should compose of security engineers which includes Heads of Application and Internal Security.
vSecOps should be the contact point for security breach within the Bank.
vSecOps should work with Incident Manager for the management of the incident.
Heads of Application and Internal Security should develop an SIEM tool to monitor the realtime security posture of the Bank.
Security Engineers should update realtime detection rules to improve the security detection mechanism.
Security Engineers should develop a response playbook for each type of breach that could happen in the Bank.
All security incident should be tracked, logged, and documented in a common ticketing system.
Security Engineers should update security rules with up to date techniques and best practices to prevent the security threats.
Incident Management
A good incident management process starts with good detection mechanisms.
Incident handling process should be organized using incident playbooks.
An incident report should have chronological documentation of the incident.
Prioritize incident based on risk impact to the Bank.
Describe the incident based on its characteristics using severity levels.
Environment Management
Develop a hardening baseline for all Bank applications.
Integrate hardening configurations to build and deployment process.
Rulesets and hardening configurations should be updated regularly based on new threats from threat intelligence sources.
Monitor configuration changes and non-conformance to baseline.
Ensure regular security patch update of Bank applications and systems.
Monitor security posture from vulnerable application components.
Operational Management
Heads of Application and Internal Security should implement a data protection mechanisms. (e.g., data loss protection, data loss prevention, data integrity protection)
Data protection mechanisms should be driven by policy driven rules.
Automate detection of policy non-compliance, and audit compliance periodically. Regularly review and update to data catalog and data protection policy.
Cybersecurity Framework
