Guidelines on Implementation
The MFSA ICT Guidance document provides guidelines on the implementation of the following arrangements:
Requirements for Cloud Computing implementation and the management of underlying architecture are laid out, while responsibilities related to ensuring Disaster Recovery provisions are addressed. Technology Arrangements must also make provisions for security monitoring and data loss prevention (DLP), whilst allowing for audits and investigations to be unrestricted and conducted freely.
ICT & Security Risk Management
An ICT Governance framework and Strategy should be followed, managing risks Technology Arrangements face in order to achieve the expected business outcomes. The implementation should safeguard Information Security through ICT Risk Management, supported by adequate Business Continuity Management and additional formalised Operational, Project and Change Management procedures.
Licensed firms should ensure the implementation of an outsourcing governance framework which should require an assessment of third-parties for the identification of outsourcing arrangements. The policy should clearly align with the existing risk management framework and outline aspects such as business continuity, conflict of interest, and internal audit, whilst the overall outsourcing process should be well-defined.