Data Security Compliance with the Guideline on ICT Security
in Bangladesh

Regulation Overview

Guideline on ICT Security applies to Bank, Non-bank Financial Institute (NBFI), Mobile Financial Service Providers (MFSP), Payment Service Providers (PSP), Payment System Operator (PSO), White Label ATMs and Merchant Acquirers (WLAMA) and other financial service providers regulated by Bangladesh Bank.

This Revised ICT Guideline defines minimum control requirements to which each organisation must adhere. The primary objectives of the Guideline are to:

1. Establish ICT Governance in the Financial Sector
2. Help Organisations develop their own ICT Security Policy
3. Establish standard ICT Security Management approach
4. Help Organisations develop secure and reliable ICT infrastructure
5. Establish a secure environment for the processing of data
6. Establish a holistic approach to ICT Risk management
7. Establish a procedure for Business Impact Analysis in conjunction with ICT Risk Management
8. Develop awareness of stakeholders’ roles and responsibilities for the protection of information
9. Prioritise information and ICT systems and associated risks that need to be mitigated
10. Establish appropriate project management approach for ICT projects
11. Ensure best practices (industry standard) of the usage of technology
12. Develop a framework for timely and effective handling of operation and information security incidents
13. Mitigate any interruption to business activities and protect critical business processes from the effects of significant failures of information systems or disasters and ensure timely resumptions
14. Define necessary controls required to protect data transmitted over communication networks
15. Ensure that security is integrated throughout the lifecycle of information system acquisitions, development and maintenance
16. Minimise security risks for electronic banking infrastructure, including ATM and POS devices, payment cards, internet banking, mobile financial services, etc.
17. Build awareness and train the users associated with ICT activities for achieving the business objectives
18. Harbor safe and secure usage of emerging technologies.

Detailed requirements are outlined in 13 chapters.

Thales enables Banks and Financial Organizations in Bangladesh to align with the following six chapters in the Guideline on ICT Security.

Chapter 4: ICT Service Delivery Management

• CipherTrust Cloud Key Management allows organisations to separate the keys from the data stored in the cloud, preventing unauthorised data access by the Cloud Service Provider by using the Hold-Your-Own-Key (HYOK) technology, organizations retain full control and ownership of their data by controlling encryption key access.
• Protect Data at Rest: CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them: CipherTrust Transparent Encryption and CipherTrust Tokenisation.
• Protect Data in Motion: Thales High Speed Network Encryption (HSE) provide network-independent, data-in- motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back.

Chapter 5: Infrastructure Security Management

• CipherTrust Data Discovery and Classification enables organisations to efficiently locate and classify structured and unstructured regulated data across multiple data sources as per major global and regional compliance requirements.
• Thales High Speed Network Encryption (HSE) solutions provide network-independent data-in-transit/ motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
• CipherTrust Transparent Encryption delivers database agnostic data-at-rest encryption with centralised key management, privileged user access control, and detailed data access audit logging that helps organisations meet compliance and best practice requirements for protecting data.
• Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, across hybrid environments and allow taking backup of keys in FIPS 140-2 level 3 compliant Backup HSMs.
• Thales Key Management offerings streamline and strengthen key management in cloud and enterprise environments over a diverse set of use cases. Leveraging FIPS 140-2-compliant virtual or hardware appliances, Thales key management tools and solutions deliver high security to sensitive environments and centralise key management for home-grown encryption, as well as third-party applications.

Chapter 9: Business Continuity Management

• Sensitive information in tapes or disks can be secured with CipherTrust Data Security Platform which ensures the data is encrypted before being stored and transported. Thales Key Management integrates with the leading backup solution vendors to manage the backup encryption keys and to separate the data from the keys. It also secures the data before it is backed up and stored in the removable media.

Chapter 10: Acquisition and Development of Information Systems

• CipherTrust Secrets Management (CSM) is a state-of-the-art Secrets Management solution, powered by the Akeyless, which protects and automates access to mission-critical secrets across DevOps tools and cloud workloads, including secrets, credentials, certificates, API keys, and tokens.
• CipherTrust Data Protection Gateway offers transparent data protection to any RESTful web service or microservice leveraging REST APIs.

Chapter 11: Digital Payment Security

• PayShield 10k HSM is a payment hardware security module (HSM) used extensively throughout the global payment ecosystem by issuers, service providers, acquirers, processors and payment networks. It plays a fundamental security role in securing the payment credential issuing, user authentication, card authentication and sensitive data protection processes for both face-to-face and digital remote payments.

Chapter 14: Emerging Technology Management

• Thales Luna Network HSMs are designed to store the private keys used by blockchain members to sign all transactions in a FIPS 140-2 Level 3 dedicated cryptographic processor. Keys are stored throughout their lifecycle; ensuring cryptographic keys cannot be accessed, modified or used by unauthorised devices or people.