The Technology Arrangements section includes the following topics: Cloud arrangements; Information Security; ICT Operations management; Business continuity management; Security Monitoring, DLP, eDiscovery, and forensic capabilities; ICT Project and Change management; Unrestricted audit by MFSA on technology arrangements.
The Guidance document elaborates on various types of Cloud arrangements and recommends Licence Holders to carefully consider cloud portability in general. The Guidance draws attention to a number of risks that License Holders face with Cloud arrangements. These include:
- The way microservices are woven into third party platforms;
- Placing reliance on a cloud provider proprietary software offered as Platform as a Service (PaaS) and integrated in a technology arrangement serving a critical or important function, and where such setup may not be readily offered by the cloud provider.
- The use of access and identity management services;
- Disaster recovery plans which rely on a specific cloud provider technology arrangements.
Licence Holders should, subject to the over-arching principle of proportionality, consider internationally recognised standards and frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework, or CIS Critical Security Controls including their security objectives and measures, when implementing a security control framework. The MFSA guidance document details a list of ICT policies and measures which License Holders should have. These measures include:
- Information Security Policy – This policy should define the high-level principles and rules to protect the confidentiality, integrity and availability of the License Holder’s data. This Policy should be based on the relevant results of a risk assessment as well as sector specific compliance requirements
- Logical Security Policy – it should address security risks relating to segregation of duties, users accountability, privileged access rights, remote access, logging of user activities, access management, user access reviews, user access revocation and user authentication methods.
- Physical Security Policy – This policy should determine the restrictions to the physical access to ICT systems. Authorisation should be assigned in accordance with the staff’s tasks and responsibilities limited to individuals who are appropriately trained and monitored. Physical access should be regularly reviewed.
- ICT Operations Security – This document should lay down the procedures to identify potential vulnerabilities, ensure secure configuration baselines, network segmentation, protection of endpoints, systems to ensure integrity of software, firmware and data, and encryption of data at rest and in transit, based on the data classification.
- Security monitoring - Licence Holders should implement appropriate and effective capabilities for detecting and reporting physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets. The continuous monitoring and detection process should cover relevant internal and external factors, including business and ICT administrative functions; transactions to detect misuse of access by third parties or other entities and internal misuse of access; and potential internal and external threats.
- Information security reviews, assessment and testing - Licence Holders should consider establishing and implementing an information security testing framework. Licence Holders should perform ongoing and repeated tests of the security measures that cover critical ICT systems, through vulnerability assessments and penetration testing by an independent party at least on an annual basis. Non-critical systems should be tested regularly on a risk-based approach, but at least once over a three-year cycle.
- Information security training and awareness - Licence Holders should ensure that staff members occupying key roles receive targeted information security training at least annually. Licence Holders should establish and implement periodic security awareness programmes to educate their staff, including the management body, on how to address information security risks.
The License Holder should consider appointing a person responsible for information security. The Information Security Function should support the management body in defining and maintaining the Information Security Policy and control its deployment. Furthermore, the Information Security Function should:
- monitor the implementation of the information security measures; report and advise the management body regularly on the status of information security, its developments, and risks to the Licence Holder;
- ensure that the information security requirements are adhered to when using service providers;
- ensure that all employees and third parties accessing information and systems are adequately informed of the information security policy, typically through information security training and awareness sessions;
- coordinate operational or security incident examination and report relevant ones to the management body.
ICT operations management
ICT operations need to be based on documented processes and procedures that are appropriately implemented. These should, as a minimum, include:
- Technical documentation (including up to date asset inventory)
- Implement logging and monitoring procedures for critical ICT operations to allow for detection, analysis and correction of technical faults and errors
- Backup and restoration procedures
- Incident management procedures
Business continuity management
Disaster recovery plans (DRP) and business continuity plans (BCP) are key elements to the License Holder’s operational risk management framework. These plans need to take into consideration the nature, scale and complexity of the business. As part of sound business continuity management, Licence Holders should:
- Conduct a business impact analysis (BIA)
- Ensure that BCPs cover different scenarios covering various potential failures, including cyber-attack scenarios. These plans should include recovery time objectives which is the maximum time within which a system or process must be restored after an incident and a recovery point objective which is the maximum time period during which it is acceptable for data to be lost in the event of an incident.
- Testing of disaster recovery and business continuity plans
Security Monitoring, DLP, eDiscovery, and forensic capabilities
Security monitoring - subject to the overarching provisions of proportionality, Licence Holders should consider making use of Security Incident and Event Management (SIEM) tools for the-clock real-time analysis of logs and security alerts generated by applications and network infrastructure, covering on-prem or in the cloud solutions. For more complex technology arrangements, SIEMs should be bolted with Security Orchestration Automation and Response (SOAR) and AI technology in the field of cyber security.
Data Loss Prevention (DLP) technology – DLP implementation within a Technology arrangement is critical for regulatory compliance and protection of data in use, whether in flight and at rest. DLP should be augmented with eDiscovery capabilities in order to identify, preserve, collect, process, review, analyse, produce and present Electronically Stored Information (ESI).
Forensic capabilities – IT setups need to be designed in such a way so as to facilitate the taking of forensically sound virtual machine images or cloud-based storage snapshots. The latter would need to be provided by Cloud Service Providers.
ICT Project and Change Management
Subject to the principle of proportionality, Licence Holders should consider establishing and implementing an ICT project portfolio management framework, which defines the organisation’s approach to:
- Programme management i.e. structure, roles, and responsibilities
- Projects pipeline management and change control
- Project management methodology
- Risk management taking into consideration the project management methodology
- Programme reporting, performance metrics, dashboards, update frequencies and escalation policy
- Post-project lessons learnt
Licence Holders should, where applicable, also consider establishing and implementing an ICT Project Management Policy that includes as a minimum:
- project objectives
- roles and responsibilities
- a project risk assessment
- a project plan, timeframe and steps
- key milestones
- change management requirements
Information security requirements within the change management function need to be analysed and approved by a function that is independent from the development function.
Licence Holders should develop and implement a process governing the acquisition, development, and maintenance of ICT systems in order to ensure the confidentiality, integrity, availability of the data to be processed are comprehensibly assured and the defined protection requirements are met, using a risk-based approach.
Unrestricted audit by MFSA on technology arrangements
License Holders need to ensure that technology arrangements are designed in such a way to guarantee compliance with legal and regulatory requirements. Furthermore, a License Holder needs to ensure that part of its legal obligations is to provide competent authorities with rights to information gathering, right of access, and right to audit (remote and on-premises) irrespective of how the technology arrangement was designed, whether on-prem, cloud or hybrid.