No.

1
2
3

4
5

7
8

10

11
12
13
14
15
16

17
18
19
Cyber security policy and governance
Question
Is there a well-defined cyber security strategy in line with the business objectives?
Is there an organisation-wide cyber security policy?
Is the cyber security policy distinct from the Information Technology/Information Security policy and does it highlight the
risks from cyber threats and include guidelines and mitigating measures?

Is the cyber security policy reviewed and approved by the Board?

Is there a clear structure and ownership defined for the management, implementation and review of the cyber security
policy, with a point of convergence at the top of the organization?

Is cyber security a fundamental componnent of the overall business strategy and is it considered in all critical business
decisions (e.g. when introducing new business applications etc.)?

Are the cyber security roles & responsibilities coordinated and aligned with internal roles and external partners?
Do you conduct regular penetration testing and vulnerability assessments for all critical systems (including internet facing
applications/systems)?

Do you periodically conduct application security testing of web/mobile applications throughout their lifecycle (pre-
implementation, post implementation, after changes) in an environment closely resembling to or a replica of the productio
environment?

Are the legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations,
understood and adhered to?

Is there a governance and risk management process that has been established to address cyber security risks?
Are dependencies and critical functions for delivery of critical services established?
Are resilience requirements to support delivery of critical services established?
Is the cyber security policy communicated to employees and relevant partners of the bank periodically?
Is the cyber security policy readily available to the relevant stakeholders for reference?
Have you performed threat assessments which may include aspects like acts of nature, acts of war, accidents and malicious
acts originating from inside or outside the institutions?
Is there an Incident Response Plan in place with due approval of the Board / Top Management?
Is the Incident Response Plan and its effectiveness reviewed regularly?
Does the business continuity planning cycle and incident response plan capture cyber risks and the potential business and
reputational disruption resulting from them?
Response
No.
1

4
5
6
7
8
9
10
11

12

No.
1
2
3

4
5
6
Physical Security
Questions
Do you have policies and procedures that address allowing authorized and limiting unauthorized physical access
to where the ICT system is housed?

Do your policies and procedures specify the methods used to control physical access to your secure areas, such
as door locks, access control systems, security officers, or video monitoring?
Is access to your computing area controlled (e.g. single point, reception or security desk, sign-in/sign-out log,
temporary/visitor badges)?

Are visitors escorted into and out of controlled areas?

Are your PCs inaccessible to unauthorized users (e.g. located away from public areas)?
Is your computing area and equipment physically secured?
Are screens automatically locked after 10 minutes of being idle?
Do you have procedures for protecting data during equipment repairs?
Do you have policies covering laptop security (e.g. cable lock or secure storage)?
Do you have an emergency evacuation plan and is it up-to-date?
Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

Are key personnel aware of which areas and facilities need to be sealed off and how?

Personal Security
Questions
Do staff wear ID badges?
Does the ID badge include an up-to-date photo of the holder of the badge?
Are authorized access levels and type (for employees, contractors, visitors and other external parties) identified
on the badge?
Do you check the credentials of external parties?
Do you have policies addressing background checks for employees and external parties?
Do you have a process for effectively cutting off access to facilities and information systems when an employee or
contractor terminates employment?
Response

Response
No.
1

2
3
4

No.
1
2
3
4
5
6
7
8
9
10
11

12
Account Management
Question
Do you have policies and standards covering electronic authentication, authorization, and access control of
personnel and resources to your information systems, applications and data?

Do you ensure that only authorized personnel have access to your computers?
Do you require and enforce appropriate passwords?
Are your passwords secure (not easy to guess, regularly changed, no use of temporary or default passwords)?

Confidentiality of sensitive data

Question
Do you classify your data, identifying sensitive data versus non sensitive data?
Are you undertaking your responsibilities to protect sensitive data under your control?
Is the most valuable or sensitive data encrypted?
Do you have a policy for identifying the retention of information (both hard and soft copies)?
Do you have procedures in place to deal with credit card information?
Do you have procedures covering the management of personal private information?
Is there a process for creating retrievable back up and archival copies of critical information?
Do you have procedures for disposing of waste material?
Is waste paper binned or shredded?
Is your shred bin locked at all times?
Do your policies for disposing of old computer equipment protect against loss of data (e.g. by reading old disks
and hard drives)?
Do your disposal procedures identify appropriate technologies and methods for making hardware and
electronic media unusable and inaccessible (e.g. shredding CDs and DVDs, electronically wiping drives, burning
tapes etc.)?
Response

Response
No.
1
2
3
4
5
6
7
8
9
10
Disaster Recovery
Question
Do you have an up-to-date business continuity plan?
Is there a process for creating retrievable back-up and archival copies of critical information?
Do you have an emergency/incident management communications plan?
Do you have a procedure for notifying authorities in the case of a disaster or security incident?
Does your procedure identify who should be contacted, including contact information?
Is the contact information sorted and identified by incident type?
Does your procedure identify who should make the contacts?
Have you identified who will speak to the press/public in the case of an emergency or an incident?
Does your communications plan cover internal communication with your employees and their families?
Can emergency procedures be appropriately implemented, as needed, by those responsible?
Response
No.
1
2
3
4
5

6
Security Awareness and Education
Question
Are you providing information about information security to staff?
Do you provide training on information security to staff on a regular basis?
Are employees taught to be alert to possible security breaches?
Are your employees sensitised on keeping their passwords secure?
Are your employees able to identify and protect classified data, including paper documents, removable media,
and electronic documents?

Does your staff awareness and education plan teach proper methods for managing credit card data (PCI
standards) and personal private information (social security numbers, names, addresses, phone numbers,
etc.)?
Response
No.
1

2
3
4
Compliance and audit
Question
Do you review and revise your security documents such as policies, standards, procedures and guidelines on a
regular basis?
Do you audit your processes and procedures for compliance with established policies and standards?
Do you test your disaster recovery plans on a regular basis?
Does management regularly review the lists of individuals with physical access to sensitive facilities or
electronic access to information systems?
Response