Third: Supervisory Procedures
| No: 42063179 | Date(g): 17/4/2021 | Date(h): 6/9/1442 | Status: In-Force |
Effective from Sep 30 2021 - Sep 29 2021
To view other versions open the versions tab on the right
Banks must adhere to the required maturity level as outlined in the Information Security Regulatory Guide and the Business Continuity Regulatory Guide, with particular attention to the following:
| 1. | The information security policy must address aspects related to employees’ information security and be reviewed periodically, including but not limited to the following: | ||||
| a. | Define system access rights and verify the identity of individuals accessing the systems. | ||||
| b. | Align system access rights with job roles and specify access levels for each role | ||||
| c. | Password Management, including the following: | ||||
| 1- | Passwords should include a mix of numbers, letters, and symbols. | ||||
| 2- | Require password changes every three months | ||||
| 3- | Lock user accounts after three consecutive incorrect login attempts, with recovery procedures defined by the bank’s internal policy. | ||||
| 4- | Emphasize the importance of keeping user accounts and login credentials confidential. | ||||
| d. | Restrict access to banking systems and devices according to best practices and business needs, based on the "Need-to-Know" principle. For example, hide customer balances from employees who do not need this information for their tasks. | ||||
| e. | Define security practices and policies to maintain information confidentiality | ||||
| f. | Identify and address unsafe and improper banking practices | ||||
| g. | Develop scenarios for detecting suspicious activities during system access. | ||||
| h. | Prohibit copying, sharing data, or installing software without authorized approva | ||||
| i. | Implement procedures for login, logout, data saving, and ensure screens are locked when not in use | ||||
| j. | Base authentication and access controls on the risks and sensitivity of the systems and data being accessed. | ||||
| 2- | Regularly review the minimum access permissions for banking systems and operations, and document these reviews in audit logs. | ||||
| 3- | Hide signatures and balances for accounts that are dormant or inactive. | ||||
| 4- | Monitor employee accounts used to access banking systems, and automatically log all account access activities for at least five years. The logs should include: | ||||
| a. | Employee name and ID. | ||||
| b. | IP Address. | ||||
| c. | Date and time of access. | ||||
| d. | Access level. | ||||
| e. | Authentication details. | ||||
| f. | Action taken. | ||||
| 5- | Implement necessary technical and security measures to accurately identify employees using computer systems or banking systems. | ||||
| 6- | Restrict access to banking systems from branch computers after official working hours and establish precautionary measures for access outside regular hours if needed. | ||||
| 7- | Ensure the availability of alternative plans and solutions to guarantee business continuity and secure access to banking systems. | ||||
| 8- | Take necessary actions if unauthorized access to customer data is detected. | ||||
| 9- | Verify access permissions for administrative and key employees only. Limit IT and support staff access to network maintenance without access to confidential customer information. | ||||
| 10- | Verify that maintenance teams are pre-approved and listed by the relevant department before beginning any work on branch systems. Implement adequate supervisory procedures. | ||||