The MFSA’s Guidance Document on ICT Related Arrangements, published on the 11th of December 2020, contains multiple elements which license holders must and should consider as part of their implementation of governing ICT and Security frameworks.
The importance of a proportional security governance framework
The Guidance document places a substantial amount of importance on cybersecurity practices and principles which enable and enhance information security within the organisation. The document outlines the relevance, benefits and importance of internationally recognised standards and frameworks such as ISO 27001:2017, NIST Cybersecurity Framework and CIS Critical Security Controls and Objectives which should form the basis for the organisation’s internally adopted security framework and are imperative when executing efficient controls to tackle common risks.
The MFSA recognises the increased reliance on Technology Arrangements by licence holders as part of critical business processes, as well as an exponentially increasing attack surface introduced through Cloud-based infrastructure and geographically dispersed data storage or services. In addition, a recent surge in remote access to company-resources and assets also present new risks. For this reason, the Authority has identified the need for a proportional security governance framework tied into the organisation’s risk management framework.
Policies and Procedures
As part of the framework, organisations should define a set of governing policies and procedures which cover various areas such as logical and physical access to information assets, as well as operational controls targeted towards the management of vulnerabilities, configuration standards, network security, cryptography, data classification among others.
Ongoing monitoring
The Guidance Document also emphasises the importance of implementing ongoing monitoring processed as part of day-to-day operations to be able to proactively detect possible exploits of critical systems, information assets and non-compliance with internal policies by employees. An effective framework shall also consider the requirement for ongoing assessments of the organisation’s cybersecurity posture through annual testing of critical information systems, both internally and through independent assessments such as penetration tests. The entity’s security training and awareness program also ties into this, by ensuring that staff are aware of information security practices and risks, as well as through providing dedicated courses for individuals occupying key positions within the organisation.
BDO Malta has the skills and know-how required to help your organization assess and work towards its compliance with the MFSA’s guidance. Our experienced team of CISA and ISO 27001 certified professionals can effectively assist in assessing compliance gaps by adopting a pragmatic approach and are capable of providing clear recommendations on how to remediate and align with the expected standards and requirements.