Thales banner

Data Security Compliance with the Guideline on ICT Security
in Bangladesh

Test

Bangladesh Bank introduced the latest Guideline on ICT Security – version 4.0 that outlines how Banks and Financial Organizations (FOs) should manage IT and security risks and provide the Bank/FO with a better understanding of supervisory expectations regarding managing IT and security-related risks. Guideline on ICT Security – version 1.0 was first launched in Oct 2005, Version 4.0 is the latest and released in April 2023.

The increasing complexity of information and communication technology (ICT) and consequent security risks have significant adverse impacts on the operations of financial organizations that might negatively affect the customers’ interest, the organization's reputation and the nation’s economy. Therefore, appropriate controls are required for an information security program with a broad and multi-layered security strategy.

Thales offers integrated data security solutions that enable Banks and Financial Organizations to align various chapters in the Guideline on ICT Security.

  • Regulation
  • Compliance

Regulation Overview

Guideline on ICT Security applies to Bank, Non-bank Financial Institute (NBFI), Mobile Financial Service Providers (MFSP), Payment Service Providers (PSP), Payment System Operator (PSO), White Label ATMs and Merchant Acquirers (WLAMA) and other financial service providers regulated by Bangladesh Bank.

This Revised ICT Guideline defines minimum control requirements to which each organization must adhere. The primary objectives of the Guideline are to:

  1. Establish ICT Governance in the Financial Sector
  2. Help Organizations develop their own ICT Security Policy
  3. Establish standard ICT Security Management approach
  4. Help Organizations develop secure and reliable ICT infrastructure
  5. Establish a secure environment for the processing of data
  6. Establish a holistic approach to ICT Risk management
  7. Establish a procedure for Business Impact Analysis in conjunction with ICT Risk Management
  8. Develop awareness of stakeholders’ roles and responsibilities for the protection of information
  9. Prioritize information and ICT systems and associated risks that need to be mitigated
  10. Establish appropriate project management approach for ICT projects
  11. Ensure best practices (industry standard) of the usage of technology
  12. Develop a framework for timely and effective handling of operation and information security incidents
  13. Mitigate any interruption to business activities and protect critical business processes from the effects of significant failures of information systems or disasters and ensure timely resumptions
  14. Define necessary controls required to protect data transmitted over communication networks
  15. Ensure that security is integrated throughout the lifecycle of information system acquisitions, development and maintenance
  16. Minimize security risks for electronic banking infrastructure, including ATM and POS devices, payment cards, internet banking, mobile financial services, etc.
  17. Build awareness and train the users associated with ICT activities for achieving the business objectives
  18. Harbor safe and secure usage of emerging technologies.

Detailed requirements are outlined in 13 chapters.

Thales enables Banks and Financial Organizations in Bangladesh to align with the following six chapters in the Guideline on ICT Security.

Chapter 4: ICT Service Delivery Management

  • CipherTrust Cloud Key Management allows organizations to separate the keys from the data stored in the cloud, preventing unauthorized data access by the Cloud Service Provider by using the Hold-Your-Own-Key (HYOK) technology, organizations retain full control and ownership of their data by controlling encryption key access.
  • Protect Data at Rest: CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them: CipherTrust Transparent Encryption and CipherTrust Tokenization.
  • Protect Data in Motion: Thales High Speed Network Encryption (HSE) provide network-independent, data-in- motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back.

Chapter 5: Infrastructure Security Management

  • CipherTrust Data Discovery and Classification enables organizations to efficiently locate and classify structured and unstructured regulated data across multiple data sources as per major global and regional compliance requirements.
  • Thales High Speed Network Encryption (HSE) solutions provide network-independent data-in-transit/ motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
  • CipherTrust Transparent Encryption delivers database agnostic data-at-rest encryption with centralized key management, privileged user access control, and detailed data access audit logging that helps organizations meet compliance and best practice requirements for protecting data.
  • Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, across hybrid environments and allow taking backup of keys in FIPS 140-2 level 3 compliant Backup HSMs.
  • Thales Key Management offerings streamline and strengthen key management in cloud and enterprise environments over a diverse set of use cases. Leveraging FIPS 140-2-compliant virtual or hardware appliances, Thales key management tools and solutions deliver high security to sensitive environments and centralize key management for home-grown encryption, as well as third-party applications.

Chapter 9: Business Continuity Management

  • Sensitive information in tapes or disks can be secured with CipherTrust Data Security Platform which ensures the data is encrypted before being stored and transported. Thales Key Management integrates with the leading backup solution vendors to manage the backup encryption keys and to separate the data from the keys. It also secures the data before it is backed up and stored in the removable media.

Chapter 10: Acquisition and Development of Information Systems

  • CipherTrust Secrets Management (CSM) is a state-of-the-art Secrets Management solution, powered by the Akeyless, which protects and automates access to mission-critical secrets across DevOps tools and cloud workloads, including secrets, credentials, certificates, API keys, and tokens.
  • CipherTrust Data Protection Gateway offers transparent data protection to any RESTful web service or microservice leveraging REST APIs.

Chapter 11: Digital Payment Security

  • PayShield 10k HSM is a payment hardware security module (HSM) used extensively throughout the global payment ecosystem by issuers, service providers, acquirers, processors and payment networks. It plays a fundamental security role in securing the payment credential issuing, user authentication, card authentication and sensitive data protection processes for both face-to-face and digital remote payments.

Chapter 14: Emerging Technology Management

  • Thales Luna Network HSMs are designed to store the private keys used by blockchain members to sign all transactions in a FIPS 140-2 Level 3 dedicated cryptographic processor. Keys are stored throughout their lifecycle; ensuring cryptographic keys cannot be accessed, modified or used by unauthorized devices or people.

Recommended Resources

Data Security Compliance with the Guideline on ICT Security in Bangladesh

Data Security Compliance with the Guideline on ICT Security in Bangladesh - Compliance Brief

Bangladesh Bank introduced the latest Guideline on ICT Security – version 4.0 that outlines how Banks and Financial Organizations (FOs) should manage IT and security risks and provide the Bank/FO with a better understanding of supervisory expectations regarding managing IT and...

Addressing The Requirements of The Framework for Adoption of Cloud Services by SEBI Regulated Entities

Addressing The Requirements of The Framework for Adoption of Cloud Services by SEBI Regulated Entities - Compliance Brief

This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices in India.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Best Practices for Cloud Data Protection and Key Management - White Paper

Best Practices for Cloud Data Protection and Key Management - White Paper

This paper describes security best practices for protecting sensitive data in the public cloud, and explains concepts such as BYOK, HYOK, Bring Your Own Encryption (BYOE), key brokering and Root of Trust (RoT). It explains the level of data protection that can be achieved by...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.