There are many sources of advice about information security and how to implement effective controls that are proportionate to the size and scale of your business and the products or services you provide.
To protect the confidentiality, integrity and availability of information and data in the Open Banking Ecosystem, all Participants should ensure that security is given sufficient profile and influence in their organisation and operations in order to meet both obligations under PSD2 and data protection laws.
Implementation of Information Security controls must be in line with the Open Banking Read/Write API specifications, particularly the Open Banking Security Profile. These specifications detail the underlying information exchanges between Participants and how these are secured, but not the way each Participant can operate securely. This document should be read in conjunction with other Open Banking ‘How To’ guides and the Open Banking security profile.
Effective Information Security Management
Develop, maintain and implement an Information Security Policy, ensuring adequate resources, processes, technology, people and budget are allocated.
- Use specialist resource and an appropriate controls framework – ISO27001:2017, IASME, Cyber Essentials – externally assessed rather than self-assessment.
- Complete regular threat assessments and ongoing risk management using experienced staff and robust processes (risk management standards).
- Allocate accountability to a nominated board member to oversee risks.
- Implement strong passwords and access management controls.
- Ask workers and staff to use a secure password vault and recommend specific applications.
- Monitor intelligence to review and refine threats and mitigating actions regularly to implement continuous improvement.
- Vet all staff and suppliers thoroughly. Supply chain and internal threat from malicious or accidental activity is often the biggest risk to an organisation.
- Develop a strong security awareness culture within your organisation.
- Implement and run a dedicated security operations centre.
- Ensure strong IT systems controls (access and role management etc.) covering infrastructure and applications through software development lifecycle.
- Ensure clear information security requirements are stated in contracts with third party suppliers.
- Regularly undertake assurance of third party providers.
- Assume you will have a problem: create and test an incident response plan.
Regulatory Consequences: Poor information security could lead to revocation of your regulatory permissions as well as enforcement action and/ or fines arising out of data protection breaches.
Revenue Consequences: Poor information security will compromise trust in your business, create reputational risk and could lead to adverse publicity and reduction in customer take-up of your products and services.
Identify Your Greatest Threats: People are your greatest asset, but also your greatest threat. Ensure strong controls around vetting, training and clear accountability.
Protecting Against Data Breach
- Implement strong password and access controls. Ensure secret credentials remain secret at all times.
- Classify data and assets. Understand what data you hold, assess the sensitivity and protect according to the threat likelihood and distinguish personal data from other confidential and classified data and impact.
- Manage and monitor access to data. Use strong authentication to manage access to company systems and role-based access for individual data sets. Review access at least quarterly.
- Train staff over and over again. Training should cover risks (particularly phishing and social engineering), web use, proper data handling and data management processes. Staff should, at all times, be aware of individuals’ rights.
- Develop a culture of security at all levels and in particular in development teams to embed security on functionality. A bit of friction is a good thing to allow the chance to consider security before progressing.
- Eliminate the use of portable storage, install Mobile Device Management Software on mobile devices and restrict the ability to download and store data via removable media.
- Assess new applications, processes or services from a security perspective before introducing them.
- Production data used in non-production environment must have production level controls implemented.
- Emergency access to production data needs to be made through a secure break-glass process.
- Have a clear data retention and destruction policy that is in line with regulations.
- Know your digital footprint and apply controls to protect your brand from impersonation.
- Assess the physical threats and risks and apply appropriate controls.
Guidance from the ICO on dealing with a data breach can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Regulatory Consequences: A data breach must be reported to the Information Commissioners Office. For certain types of personal data breach, this must be done within 72 hours of becoming aware (where feasible).
Developing a Data Breach Policy & Procedure
Data Breach Policy
Amongst other policies and procedures and in accordance with data protection laws, TPPs should create a data breach policy statement and operate to the following recommended set of policies:
- Prevent: Operate regular risk assessment and risk monitoring in order to anticipate potential data threats, hazards and impacts.
- Prepare: Ensure that the procedures for managing data incidents are clearly set out, together with clear roles and responsibilities, lines of escalation and communication for all parties involved in risk management procedures.
- Assess: Assess each data incident according to its impact in order to determine a proportionate response, and trigger the most appropriate command and control arrangements.
- Contain: Invoke the relevant processes and procedures to limit the impact of the incident.
- Communicate: Ensure that all relevant parties receive efficient, regular and timely communication in the event of a data incident.
- Recover: Start the recovery process as quickly as possible to ensure minimal disruption to service delivery and enable return to normal business operations as quickly as practicable.
- Review: Conduct a robust analysis of the underlying cause of the incident, the efficacy of the incident response, the lessons learned, and the actions required to prevent future similar incidents.
- Test: Regularly test adherence to the Incident Management Policy and associated Incident Management Procedures to ensure their adequacy and effectiveness.
Data Incident Management Procedure
TPPs should develop an Incident Management Procedure that includes Data Incidents. This should be adhered to in all such cases, ensuring that a Data Incident is promptly identified and adequately reviewed, assessed, escalated when appropriate, remediated and recovered.
The key stages in a Data Incident Management Procedure, which may run concurrently, are:
- Identification/logging of the data incident (initial alert, triggering a potential incident).
- Management team (inc. Legal, HR, Privacy Specialist) made aware and convene.
- Management team conduct impact assessment and commence mitigating actions for resolution.
- Incident resolution.
- Closure and return to business as usual.
- Post incident review.
The Data Incident Management Procedure must apply to and should be followed by all workers, in any capacity, including employees, contractors, directors, external consultants, third party representatives and business partners.
Identify and subscribe to appropriate intelligence sources then monitor the outputs to inform necessary action. There are many free Open Source Intelligence sources and tools available. Additionally, all participants are encouraged to leverage the intelligence reports shared from Open Banking.
- Enforce continuous patching, including documenting and archiving dates to all technology and have individual accountability for patching specific software and equipment.
- Maintain firewalls, vulnerability and malware scanning, patching, Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection.
- Implement regular vulnerability scanning. Scan your networks and endpoints for vulnerabilities and weaknesses.
- Harden your operating systems. Take simple steps such as changing default passwords, delete unnecessary service accounts and remove unused or superfluous software.
- Secure the provision of experienced external penetration testing services.
- Where authentication is handed off or redirected to other sites, ensure credentials cannot be intercepted and avoid the need for disclosure.
- Always maintain the ability of the user to verify the authenticity of the site they are entering, i.e. maintain the ability to see the URL bar/lock icon.
- Manage and implement session timeout values to ensure users cannot leave transactions ‘hanging’ that could then be intercepted.
Practical Guide to IT Security from ICO can be found here: https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
- Risk Management Regime: Embed an appropriate risk management regime across the organisation.
- Secure Configuration: Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems.
- Network Security: Ensure connections from your networks to the internet and other partner networks, do not expose systems and technologies to attack.
- Manage User Privileges: Ensure users are not provided with unnecessary system privileges or data access rights, otherwise the impact of misuse or compromise of that users account will be more severe than it need be.
- User Education & Awareness: Users have a critical role to play in their organisation’s security and so it is important that security rules and the technology provided enable users to do their job, as well as helping keep the organisation secure.
- Incident Management: All organisations will experience security incidents at some point. Define, document and plan your incident management approach.
- Malware Prevention: Malicious software or malware is an umbrella term to cover any code or content that could have a malicious or undesirable impact on systems. Implement malware prevention and detection tools.
- Monitoring: Implement system monitoring to provide a capability that aims to detect actual or attempted attacks on systems and business services.
- Removable Media Control: Manage removable media to prevent exploitation of a common route for the introduction of malware and the accidental or deliberate export of sensitive data.
- Home and Mobile Working: Mobile working and remote system access offers great benefits, however, exposes new risks that need to be managed.
Identify Your Greatest Threats: Consider your risks from exposed network connections (particularly from home and mobile workers).