Insight #6 | Section 8: Review of the Information Systems and Cybersecurity Framework

Regulated entities are required to implement measures to ensure Confidentiality, Integrity and, Availability (CIA) of their data and systems.

The following key requirements should be considered:

Review of the Information Systems and Cybersecurity Framework

Regulated entities should:

1. Review their IT and cybersecurity risks and assess their cybersecurity framework regularly;

2. Include a feedback loop that allows the governing body and senior management react to changes in the IT and cybersecurity risk profile; and 

3. Test the cybersecurity framework periodically and update as needed. 

IT System Controls

Regulated entities should:

1. Establish configuration baselines and standards across the IT assets such as the operating systems, databases, network devices, etc.;

2. Implement physical and logical access security on their IT systems;

3. Establish and implement clear segregation of duties;

4. Establish and implement policies, processes and procedures guiding change management, software release management, incident management and capacity management;

5. Ensure audit trails are enabled for all internet transactions;

6. Develop a technology refresh plan to ensure the IT infrastructure is supported and up to date;

7. Carry out vulnerability assessments and penetration tests at a minimum annually; and

8. Install network security devices such as firewalls, intrusion detection and prevention systems (IDPS) to protect their network perimeter.