Third: Supervisory Procedures
| No: 42063179 | Date(g): 17/4/2021 | Date(h): 6/9/1442 | Status: In-Force |
Translated Document
Effective from Sep 30 2021 - Sep 29 2021
To view other versions open the versions tab on the right
Banks must adhere to the required maturity level as Cyber Security Framework and the Business Continuity Management Framework, with particular attention to the following:
| 1. | The information security policy must include aspects related to the information security of employee activities and should be reviewed periodically, with a minimum of the following: | ||||
| A. | Access rights to banking systems and verification of the identity of the individual performing the access. | ||||
| B. | Tying access rights to banking systems to job grades and specifying the level of access for each job grade. | ||||
| C. | Password management, including the following: | ||||
| 1- | The password must consist of numbers, letters, and symbols. | ||||
| 2- | The password must be changed every three months. | ||||
| 3- | If employees enter their banking system login credentials incorrectly three consecutive times, the username will be suspended and will only be restored according to specific procedures outlined in the bank's internal policy. | ||||
| 4- | Employees must be reminded to safeguard their user accounts or login credentials and not to disclose or share them. | ||||
| D. | Restricting access to devices and systems used in banks according to recognized best practices in information security and business needs, based on the principle of 'Need-to-Know.' For example, customer balances should be hidden from employees whose job functions do not require access to that information. | ||||
| Eـ. | Defining security practices and policies to maintain the confidentiality of information. | ||||
| F. | Identifying unsafe and improper banking practices. | ||||
| G. | Developing scenarios to detect suspicious activities when accessing the systems. | ||||
| H. | Prohibiting the copying or sharing of data or the installation of software without the approval of the authorized person. | ||||
| I. | Establishing procedures for logging in, logging out, and saving, and ensuring that data screens are closed when not in use. | ||||
| J. | Authentication and access controls should be based on the risks and sensitivity of the systems and data to be accessed. | ||||
| 2- | Reviewing the minimum access rights for entering banking systems, conducting operations, and accessing account data periodically, and documenting this in the periodic review records. | ||||
| 3- | Hiding signatures and balances of clients for all accounts that are dormant or unclaimed. | ||||
| 4- | Monitoring employee accounts designated for accessing banking systems, and automatically storing all login activity related to bank account information for a minimum of five years for reference when needed. This stored information should include at least the following: | ||||
| A. | Employee name and employee ID. | ||||
| B. | Internet Protocol Address “IP Address”. | ||||
| C. | Date and time of access. | ||||
| D. | Access rights. | ||||
| Eـ. | Authentication. | ||||
| F. | The procedure executed. | ||||
| 5- | Implement all necessary technical and security controls to accurately identify the employee using the computer or any banking systems. | ||||
| 6- | Restrict access to banking systems from computers located in branches after official working hours, and implement necessary precautionary measures for accessing banking systems outside of regular working hours. | ||||
| 7- | Ensure the availability of contingency plans and solutions to guarantee business continuity and enable secure access to banking systems. | ||||
| 8- | Taking necessary measures in the event that customer data is accessed by an unauthorized individual. | ||||
| 9- | Ensuring access privileges are granted only to administrative staff and key employees, while restricting specialized personnel—such as IT and technical support staff—to network maintenance without access to confidential customer information. | ||||
| 10- | In the case of maintenance work on branch systems, it is essential to verify that the maintenance team is among those listed and sent by the relevant management before commencing the required tasks, along with implementing sufficient oversight procedures. | ||||