Supervision guidelines

External Systems Audit

The External Systems Audit Management, based on the evolution of the technological infrastructure of the financial system, which takes place from the continuous incorporation of new resources or functionalities, created the Internal Commission for New Technologies. Their role is to analyse the impact of technological innovation and to analyse and create new supervisory practices in institutions, in line with the changes that are foreseen or detected.

This commission defined the preparation of a series of documents referring to the procedures for reviewing the controls implemented by financial institutions, the publication of which responds to three fundamental objectives:

Provide greater transparency to the process of monitoring control objectives related to the technology, systems, and information security of entities.

Keep supervisory practices up to date in a context of important changes and innovations.

To promote the implementation of robust control systems in financial institutions.

Supervision guides were developed that aim to align the methodological framework with the technological scenario described.

Cybersecurity and Cyber Resilience Monitoring Guides

The supervisory procedures will be aimed at determining the implementation of controls that allow financial institutions to adequately manage cybersecurity and cyber resilience. Among other aspects, the following will be evaluated:

Structure, Roles, and Responsibilities:

• The existence of roles and functions linked to the management of cybersecurity/cyber resilience in order to minimise the negative impacts of real or future cyberattacks.
• Participation in the Information Technology Committee, of the person responsible for managing cybersecurity/cyber resilience.

Strategy, policies, rules and procedures:

• The existence of a cybersecurity/cyber resilience strategy that allows in a coordinated and methodological way to anticipate, resist, recover and evolve in the face of cyber-threats.
• In risk management, the incorporation and identification of threats and vulnerabilities related to cybersecurity/cyber resilience.
• Promote people’s knowledge and development of skills and knowledge in support of their missions and functions in achieving and maintaining operational cyber resilience and protection.
• The existence of initiatives and activities to raise awareness about cybersecurity/cyber resilience that incorporate practices in the organization through which the inherent risks associated with cyber-threats can be reduced.

Monitoring and control management

• The existence of an internal control system that ensures the effectiveness and efficiency of operations by guaranteeing the operation of critical services and the assets that support them.
• Maintain a knowledge base that contains all the cybersecurity events collected, which make it possible to identify potential cyberattacks.
• Mechanisms to automatically identify and block unauthorized access to the network.
• Mechanisms for managing the use of privileged passwords and accounts.
• The existence of processes to prevent and detect information leakage.

Incident Management

• The existence of processes to identify and analyze events, detect incidents, and determine and apply an appropriate response.
• The existence of an area/sector for comprehensive incident management, to respond in a timely manner and at all levels related to cybersecurity.

Continuity management

The definition of continuity plans that include:
• the identification of possible scenarios related to cyberattacks that may affect the continuity of critical services;
• the alignment with the business needs that the entity has established in the BIA, and with the defined operational and/or technological risk management model, and
• Testing possible scenarios related to cyberattacks that may affect the continuity of critical services defined by the entity.

Third-Party Management

The existence of practices related to the hiring of third parties in which the following are considered:
• compliance with regulatory requirements;
• the establishment of roles and responsibilities;
• the identification of activities related to business continuity and availability;
• the powers of the supervisor and the entity to carry out audits, and
• the performance of tests on possible scenarios and the levels of security implemented linked to cyberattacks that may affect the continuity of the services provided by the third party.

Glossary of Terms

Cyber resilience: An organization’s ability to continue to operate with the least amount of disruption to cyberattacks. It’s an end-to-end approach, bringing together information security, business continuity, and the resilience of enterprise networks to ensure the organization continues to function during cyberattacks and cyber outages.

Cyber event: Any observable occurrence in an information system. Cyber events sometimes indicate that a cyber incident is occurring.

Cyber alert: Notification that a specific cyber incident has occurred or a cyber threat has been directed at an organization’s information systems.

Cyber incident: A cyber event that, as a result of malicious or non-malicious activity:
– jeopardizes the cybersecurity of an information system or the information that the system processes, stores, or transmits; or
– violates security policies, security procedures, or acceptable use policies.

Cyber threat: A circumstance with the potential to exploit one or more vulnerabilities that negatively affects cybersecurity.

May, 2019. Initial version

Business Continuity Management Supervision Guide

The supervisory procedures will be aimed at determining the implementation of controls that allow entities to adequately manage Business Continuity.

Among other aspects, the following will be evaluated:

Business Continuity Management Program in the Culture of the Organization

• The creation of a Business Continuity Management Program (BCM) in accordance with the structure and volume of operations of the entity that considers, among other aspects:

• The establishment of a Business Continuity Management Policy.
• Identification of business needs.
• The definition of a training and awareness program on technological resilience capabilities.
• Identification and treatment of risks.
• The recovery procedures adopted for different scenarios.

• The integration within the framework of the program of the different organizational hierarchies and technological infrastructures existing in the entity, as well as the services provided by related third parties.

• Understanding the level of awareness, knowledge, and training existing in the entity.

Structure, Roles, and Responsibilities

• The establishment of the Board of Directors or equivalent authority of the entity, as the primary responsible for approving and supervising the execution of the Business Continuity Management Policy.

• The allocation of the necessary resources for the creation, maintenance and testing of operable and functional continuity plans, in accordance with the business requirements of the entity and the regulatory and control bodies.

• The formal designation of an area or sector, responsible for the coordination of the BCM Program and the activities related to the different stages established in it.

• The inclusion within the GCN of all stages of the process, from recovery during the contingency, to the return to normality.

Business Continuity Management Policy

• The establishment of a BCM Policy that establishes the scope and governance framework of the Business Continuity Program, provides the context of the activities that comprise it and identifies the principles on which it is based.

• The alignment of the GCN Policy with the organization’s strategy (business, technology and systems and asset protection), its objectives and its culture.

• The identification of the areas of the organization, the products and services included within the program, as well as the organization’s own and third-party processing sites.

Business Impact Analysis

• The responsibility of the Board of Directors or equivalent authority to observe the execution of risk assessments to determine the impact of different events, both in terms of magnitude of damage and the recovery period and the return to normality.

• The implementation of a formally approved methodology for the management of business impact analysis (BIA), which considers the participation of technical and business personnel, the preparation of metrics for the determination of recovery strategies (RTO and RPO, among others), and outsourced technology services.

• The identification of events that may cause interruptions in the entity’s critical processes.

• The participation of the people who own the processes and resources of the business in the analysis.

• Consideration of all business processes, information processing facilities, and all related resources.

• The results of the impact analyses and risk analyses carried out.

• The acknowledgment and approval of the results generated by the impact analyses by the Board of Directors or equivalent authority of the entity.

Risk and scenario assessment

• The development of threat scenarios that could alter business processes and the entity’s ability to meet customer expectations (internal or external), based on practical experiences, previous events and possible circumstances.

• The inclusion of threat scenarios of different levels of probability of occurrence and impact, from catastrophes (such as hurricanes), to minor incidents (e.g., brief power outages), which could affect personnel or specific work areas, facilities, systems, or geographic sites.

• The entity’s analysis of the geographical location of all facilities, its own and those of third parties, their susceptibility to threats, the proximity of critical infrastructures (energy sources, airports, main roads, railways, etc.), and the monitoring of external factors through fluid communication with civil and regulatory authorities.

• Prioritizing business processes based on the results of impact analyses and estimating how they could be disrupted under different defined threat scenarios.

Technological resilience

• The responsibility of the Board of Directors or equivalent authority in:

– The establishment of the direction and supervision of the entity’s technological resilience strategy implemented by Senior Management.
– Assessing the impact of business and policy decisions on the entity’s critical operations.
– The approval and review of the tolerance to the impact of the interruption of critical operations.
– Periodic review of the implementation of the bank’s operational resilience strategy.

• The identification of the human resources, technology, processes, information, facilities and their interconnections necessary to carry out the entity’s critical operations, including those that depend on third parties.

• The consideration of the following elements:

– Identification of critical assets and operations.
– Adequacy of resiliency practices, including adequacy of recovery infrastructure and backup processes.
– Implementation of cyber resilience measures flexible enough to adapt to a wide range of events.
– Implementation of incident responses, where steps are developed to respond and recover from any event.
– Integration with disaster recovery services to protect against data destruction.
– Evaluation of the alternative infrastructure for data communications between the entity and those who provide critical third-party services.
– Development of guidelines, in accordance with the size, complexity and risk profile of the entity, to diversify connections and mitigate the risk of a telecommunications failure.
– Assessment of the entity’s susceptibility to multiple threat scenarios in resilience planning, testing, and recovery strategies.
– Designation of emergency personnel, including for employees indispensable at the level of critical business processes.
– Existence of secure technical and telecommunications resources for personnel who must work from an alternative location.
– Allocation of alternative resources (e.g., staff and systems) for situations where primary services cannot be provided.
– Ability of an external service provider (third party) to meet the entity’s recovery objectives in service level agreements, in relation to the needs of other customers.
– Ability to move outsourced or decentralized processes, either internally or to another external service provider.
– Confidentiality, integrity and availability of data (e.g. portability and interoperability).
– Alternative energy sources (e.g., generators, uninterruptible power delivery units (UPSs), and multiple power grids).
– Considerations related to the provision of fuel, both for what is available and contracts with suppliers for deliveries during events, and any potential impediments to obtaining fuel.

Business Continuity Strategies

• The development of business continuity strategies based on risk assessment and business impact analysis.

• The inclusion in continuity strategies of the following points:

– The allocation of resources to meet resilience and recovery objectives.
– The evaluation of aspects related to the transportation or accommodation of personnel in alternative facilities, the establishment of communication methods with personnel, customers and third parties, the definition of redundant work sites and/or manual processes for operations of business lines.
– Evaluation of data processing centers, geographic diversity, protection measures, and redundancy of energy sources.
– Cloud architectures, virtualization, and other technologies.
– Defined measures to mitigate specific or unique threats, such as loss of critical third-party services or cyber threats. – The existence of alternatives to proprietary systems, user tools or critical non-computerised assets, given the significant and unique risks to an entity’s business activities.
– Access capabilities for voice and data, technology infrastructure to map to employee needs, and internal and external capacity (including remote capability) to determine whether telework strategies are sufficient.
– Defining different combinations of backup, replication, and storage to achieve different levels of continuity and resiliency.

Business Continuity Plans (BCP)

• The establishment and implementation of plans, procedures and the definition of responsibilities for business continuity that involve all the entity’s personnel, depending on the organizational structure, technological complexity and turnover.

• The establishment of business continuity plans that allow:

– sustain the development of operations during the period of restoration of technological services,
– reasonably ensure the operational recovery of processes, and
– Reduce the impact on activities and service in branches.

• The preparation of plans based on impact analyses and the evaluation of scenarios, whose main objective is the resumption of business processes.

• The existence of written and formally approved plans or procedures to address the continuity of data processing and related activities, and to provide an efficient and effective response in the event of contingencies or emergencies.

• The definition of plans that contain a simple, high-level overview of the recovery sequence for each scenario envisaged and refer to more detailed recovery procedures.

• The consideration in the plans of scenarios related to losses of databases, infrastructure equipment and critical systems, network connectivity, processing sites, provision of key services, among others.

• The inclusion of comprehensive recovery strategies to solve problems that may arise from internal and external interdependencies, based on the results of the impact analysis and the evaluation of the scenarios.

• The consideration of the following elements in the formation of continuity plans:

– Procedures for declaring a disaster (escalation) and criteria for activating plans.
– The details of those who provide services involved in contingency/emergency actions.
– The detail of the recovery teams and their associated responsibilities.
– Detailed procedures on recovery processes with identification of critical systems and components and their order or precedence of recovery, as well as communications facilities, and those returning to normal operation.
– The updated contact details of key personnel for each function in the execution of the plan and the modality of work as the case may be.
– Emergency communication procedures describing the actions to be taken after an incident has occurred and provisions for the management of effective links with civil and regulatory authorities.
– Logistical information on the location of key resources, including: alternative facilities, data backups, operating systems, applications, data files, operating manuals and documentation of programs/systems/users and copies of the continuity plan.
– Emergency procedures describing actions to be taken for the relocation of essential activities to alternative transitional locations, and for the restoration of business processes within the required timeframes.
– The inclusion of reconstruction plans for the recovery of all systems and resources.

Crisis or emergency management

• The approach by the function that leads the management of crises or emergencies of the Business Continuity Plans, of coordination with civil and regulatory authorities.

• Scenarios need to detail disruptions and not be limited to a single event, facility, or geographic area. In addition, crisis or emergency management plans need to address simultaneous disruptions of telecommunications and electronic messaging, including between the entity, its staff, and those providing external services.

• The consideration in crisis or emergency management plans of scenarios related to the simultaneous interruption of telecommunications and electronic messaging, including between the entity, its personnel and those who provide external services.

• The designation of key personnel from the corresponding departments to act during a crisis or emergency situation, according to the size and complexity of the entity. Key personnel may include:

– Senior Management for leadership.
– Management of security and physical security facilities.
– Human resources for personnel matters, travel and relocation.
– Media relations to manage communications.
– Finance and accounting for the disbursement of funds and financial decisions, including unanticipated expenses.
– Legal and compliance with legal and regulatory concerns.
– IT areas, including information security, and operations for specific tactical responses.

• The definition of communication protocols for crises or emergency events that include:

– Up-to-date, distributed, and accessible contact lists for key personnel.
– Alternative methods of communication with staff and other stakeholders, including staff located in isolated or dispersed areas, and
– Arrangements for contacting the entity when normal communication channels are not working.

Training, exercises and tests related to Business Continuity Strategies

• The inclusion of training as part of an effective business continuity program to educate stakeholders on resilience, business continuity goals, corporate objectives, policies, and individual staff roles and responsibilities.

• Senior Management’s consideration of current business continuity skills and identifying and addressing any gaps. Where appropriate, the establishment of goals and objectives to support the entity’s Business Continuity Management Program as part of the performance management process.

• Carrying out periodic tests of business continuity strategies, at least once a year, considering the following aspects:

– The simulation of established threat scenarios and the execution of the recovery strategies defined in the plans for each scenario, taking into account the conditions of provision of committed services during times of greatest activity.
– Ensuring that the comprehensive operation of all critical automated systems, in accordance with the business impact analyses carried out, in order to verify that the plan is updated and effective.
– Knowledge of the plans by the entire recovery team and other relevant personnel.

• Defining a frequency of execution of the exercises based on the size and complexity of the entity, the elements of the awareness program, the risks, and the iteration of the test program.

• The existence of a formal testing schedule indicating how each element of the plans is tested, and the date of execution of each of the tests.

• Participation in the testing of the user areas of the business processes, related technical areas, the third parties involved and the internal audit.

• The inclusion of the following documentation in the test results:

– Dates and places.
– An executive summary comparing objectives and results.
– Material deviations from plans, including whether the intended participation was achieved.
– Problems identified and lessons learned.
– Assignment of responsibility for the timely resolution of identified issues.

• The analysis of the results of the exercises and tests, their comparison with the objectives and success criteria, and their reporting to the appropriate levels of management.

• Documentation of decisions to accept risks identified during the exercises for those items not remedied.

• The decisions taken by the Board of Directors or equivalent authority and Senior Management on the basis of the results of the exercises and tests, in order to determine compliance with the needs established in the impact analyses, the identification of possible failures or inconveniences and the appropriate solution to them.

Maintenance and updating of Business Continuity Plans

• The maintenance of the Business Continuity Plans through periodic reviews and updates to ensure their permanent effectiveness.

• The use of the results of the exercises and tests as an element for updating recovery strategies and continuity plans.

• The existence of written procedures to ensure that any changes to business processes and their related technology are reflected in updates to continuity plans.

• The designation of a formally identified responsible person for the maintenance and adaptation of the continuity plan, the execution of periodic reviews, the identification of changes and their updating.

• The establishment of a formal change control process that certifies the distribution of the updated plans to all responsible persons involved in their execution.

Thirds

• In the process of analyzing a decentralization, contracting and/or subcontracting of third parties (including those who provide cloud services), the consideration by the entity of:

– The existence of plans and resources for the continuity of operations of the third parties involved.
– Your ability to recover and resume operations in the event of an unexpected service interruption.

• Establishing controls to ensure that external service providers are resilient and have adequate infrastructure and personnel to restore critical services in accordance with business and contractual requirements.

• The inclusion in the service level agreements of provisions that ensure the right of the entity to carry out or participate in the continuity tests carried out by third parties and the effectiveness of the aforementioned participation.

Glossary of Terms

Business Continuity: An organization’s strategic and tactical ability to plan and respond to incidents and disruptions, in order to maintain the operations and critical technology services that support the business, within a level acceptable and assumable by that organization.

Business Continuity Management: A comprehensive management process that identifies potential technological threats to an organization and the impacts on business operations that those threats could cause, and that provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business Continuity Plans: Documented collection of procedures and information for use in an incident with the goal of enabling an organization to continue to deliver its critical products and services at an acceptable level.

Technological resilience: It is the ability to prepare for and adapt to changing conditions, resist and recover quickly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, threats, or natural incidents.

June, 2020. Initial version

Information Technology Management Supervision Guide

The supervisory procedures will be aimed at determining the implementation of controls that allow the entities to properly manage information systems, information technology and their associated resources.

Among other aspects, the following will be evaluated:

Information Technology Strategy

• In accordance with the operations, processes and organizational structure of the entity, the existence of a strategy that allows them to optimize the effectiveness in the administration, control and continuous improvement in the management of information technology resources, ensuring their alignment with the strategic objectives and that there is a direct relationship between the needs of the business, the solutions and services provided.

• The definition of strategic objectives composed of goals and courses of action necessary for their fulfillment, including long-term objectives, investments and the budget of information technology, as well as the presentation of periodic reports and management controls.

• The existence of a formalized planning under the mechanisms defined by the Board of Directors or equivalent authority, which supports the strategic objectives, contains a schedule of projects and allows demonstrating the degree of progress, the assignment of priorities, the resources and the sectors involved.

• The definition of mechanisms for reviewing and analysing planning, including risk identification processes to avoid exposures or other deficiencies that limit or hinder its implementation.

Enterprise Architecture

• According to the operations, processes and organizational structure of the entity, the existence of an architecture or framework model that provides direction, principles, standards and sound practices, to improve the design and maintenance of the present and future technological infrastructure.

• Depending on the model chosen, the inclusion in the architecture of the following aspects:

– Business processes
-Equipment
– Grassroots software
-Tools
-Applications
-Canals
– Middleware
-Data
– Security measures
– Connectivity measures
-Thirds

• The alignment between the defined or projected architecture, with the information technology strategy, the information asset protection strategy and the established data management model.

Investments, portfolio and budget

• The existence of a budget to manage financial activities related to information technology, covering: the management of costs, benefits and the prioritization of expenditures through the use of budgeting practices.
• The mechanisms for the continuous evaluation of the investments made for the fulfillment of the projects related to information technology and their correspondence with the assigned budget, identifying and formally and timely communicating the deviations in their execution.
• The mechanisms for measuring the non-financial benefits resulting from the investment made in information technology based on the strategic business plans.

Project Management

• In accordance with the operations, processes and organizational structure of the entity, the establishment of a project management area, in order to achieve adequate performance and follow-up of the same, considering the interrelationship between the product, its duration and the assigned budget.
• The existence of a policy that allows the management and control of projects related to: the acquisition and development of systems, migrations, changes in technological infrastructure, maintenance of applications, and outsourcing/decentralization of activities and/or services, among others.
• The definition of a management model that allows understanding the different stages of each project considering the different existing methodologies.
• The development of documentation at each stage of the project and its link with business needs according to its strategic objectives.
• The existence of a schedule of activities that includes: the tasks to be carried out, the allocation of resources, times, milestones, priorities and the degree of progress, among others.
• Mechanisms to establish adequate means of communication throughout the different stages of the project in order to verify compliance, identifying deviations.

Demand management

• The existence of a demand management process that allows efficient planning of business requirements, based on existing resources, projects and budgets.
• In accordance with the operations, processes and organizational structure of the entity, the establishment of a demand management area in order to centralize the attention to requirements and to carry out the intermediation between the information technology areas and the business areas.
• The link of the adopted solution with the IT strategy, the enterprise architecture and the data management model.

Data Management

• The existence of a model for data management that allows a broad vision to be adopted, to manage all the data linked to business processes and to support the integration needs between the different applications.
• In accordance with the operations, processes and organizational structure of the entity, the establishment of an area or sector in charge of data management.
• The link of the chosen model with the information technology strategy, the information asset protection strategy, the classification of the assets and the defined business architecture.
• Based on the main goals and objectives of data management, the inclusion of the following actions:

– Define, approve, and communicate data strategy, policies, standards, architecture, and metrics
– Track and enforce compliance with data policies, standards, and architecture
– Sponsor, control and supervise the execution of data management projects and services
– Manage and resolve data-related issues
– Understand and promote the value of data assets

Risk Management

• Based on the current standards on “Guidelines for Risk Management in Financial Institutions” and “Aggregation of Risk Data and Reporting”, the establishment of a risk management program that allows for the identification, analysis and treatment of existing vulnerabilities and threats for all the information technology resources used.
• The existence of a methodology integrated into the formally established operational risk management model.

• The execution of risk analyses on information systems, information technology and their associated resources, including those that have been transferred to third parties.

• Carrying out risk assessments prior to the implementation of new technologies or for the development of new products.

• The implementation of mechanisms that allow the Board of Directors or equivalent authority to be communicated in a timely manner, the results achieved on the detected risks and the acceptable margins of the resulting residual risks.

• Depending on the risks detected, the existence of a plan for their remediation and monitoring, which allows reducing the risk exposure of information assets to tolerable margins.

• The existence of assessments of the potential impact of decentralization and outsourcing agreements in relation to their operational risk, prior to the start of the relationship and during the course of the relationship. The identification of feasible risk scenarios, including situations that lead to operational risks, considering, among others, the following:

– the concentration of activities and/or services in the same provider entity (which, in turn, provides activities and/or services to “n” organizations);
– scenarios related to activities and/or services that have been outsourced; and
– the characteristics and conditions of provision that determine a significant degree of dependence (“vendor lock-in risk”).

Structure and dependence of the Information Technology area

• In accordance with the operations, processes and organizational structure of the entity, the establishment of an area that includes functions related to: architecture, applications, data, technology, technical support and support for users, operations, project management, third-party management and omnichannel, among others.

• The existence of human capital in information technology with sufficient capabilities and skills to respond to the current and future operational needs of the area. The integration of human capital management in order to ensure optimal development of tasks and activities, through programs that include: performance evaluations, knowledge transfer mechanisms, rotation of tasks and functions, among others.

• The management and compliance, by the person responsible for the area, of the information technology strategy and the implementation and maintenance of the policies, in accordance with the guidelines established by the Board of Directors or equivalent authority.

• The existence of documentation that describes in detail the roles and responsibilities of the human capital that makes up the information technology area and its associated sectors.
• According to the operations, processes and organizational structure of the entity, the existence of information that allows understanding and documenting an adequate segregation of functions between roles, responsibilities and hierarchies.

• In the event of limitations in the structure that do not allow the segregation of some incompatible functions, the existence of exception mechanisms through the performance of risk analyses that are correctly justified, documented and approved by the Board of Directors or equivalent authority.

Policies, Rules, and Procedures

• The existence of policies, standards and procedures that allow for the management, control and documentation of information technology activities and all processes. The level of detail will depend on the complexity of the environment and the needs required by the business.

• The establishment of a “zero standard” or “base standard”, which will define the guidelines and standards to structure the assembly of the documents and achieve uniformity and homogeneity in their development.

• The implementation of mechanisms for their publication, formal communication, periodic updating and assignment of responsibilities, which constitute the basis for the coordination and performance of tasks and that allow training on activities related to information technology and directly or indirectly related to business processes.

Management control

• The existence of a control framework over the activities carried out by the sectors that make up the information technology area, through the implementation of mechanisms that allow continuous monitoring of the tasks carried out, including tools and metrics to measure the level of compliance according to the needs.

• The preparation of reports or control reports that allow the continuous performance of information technology resources to be measured and that contribute to the fulfillment of business objectives.

• The mechanisms that allow the results of the management of the area to be made known to the higher authorities.

Third-Party Management

• The existence of mechanisms to efficiently manage the decentralization and outsourcing of activities, with the aim of complying with what is defined in the information technology strategy, the business architecture and the information asset protection strategy, considering the search and selection of providers, relationship management, contractual linkage and the review and supervision of the performance of third parties.

• The establishment of a policy that allows for the creation of a life cycle that contemplates the implementation of instances applied in a comprehensive and constant manner, with the aim of planning, selecting, agreeing, supervising and finalizing the relationship with third parties.

• In accordance with the entity’s operations, processes and organizational structure, the establishment of a sector or a third-party management function that concentrates activities related to the establishment of the single control environment and unified access points, as appropriate.

• Prior to the start of the relationship, the evaluation of the criticality of the activities to be decentralized and/or outsourced, considering the instruments established in current regulations, such as: impact analysis and classification of assets, among others.

• The implementation of an inventory of contracted services and/or delegated activities, which includes a categorization of providers and their criticality, which identifies the control environment related to the administration and operation of information technology and information systems. In the event that the decentralization/outsourcing of activities is carried out in one or more locations, the identification of the control scheme corresponding to each delegated activity.

• The inclusion, within the letters of offer, contracts and/or service level agreements, of clauses that establish that the primary provider has full responsibility for all the services that the latter and the subcontractors provide, including the activities provided from a country other than the registered location.

• The extension to the subcontractor of compliance with all applicable laws, regulatory requirements and contractual obligations, and the granting to the competent entity and supervisory authority of the same contractual rights of access and audit as those granted by the primary provider, especially when the subcontracted services involve a high level of criticality and technical complexity.

• The implementation of a formal completion strategy for the decentralization and/or outsourcing of critical processes, which makes it possible to delink from service provision agreements, without generating interruptions in the development of activities, limiting compliance with regulatory requirements, or compromising the continuity and quality of the services provided. This strategy will be shaped by the development of scenarios to deal with forced departures (for example, after a failure or insolvency of the person providing the services) and planned/managed departures motivated by commercial, performance or strategic reasons (stress-free exit).

• The execution of periodic audits by the entity on those who provide outsourced or decentralized computer services, which allows the evaluation of the comprehensive management of these by said providers, keeping the Board of Directors or equivalent authority informed about their conclusions.

Glossary of Terms

Enterprise architecture: is the overall design and high-level plan that describes an institution’s operating framework and includes its mission, stakeholders, businesses, customers, workflow and processes, data processing, access, security, and availability, among others. An enterprise architecture program facilitates the conceptual design and maintenance of network infrastructure, related computer technology controls, and policies. It can also help an institution to better develop technological processes or services and identify, measure and mitigate risks and threats related to the use of technology. The implementation of the program focuses on training business and information technology leaders to make investment decisions that provide balance and priority to current operational demands, disruptions, and opportunities, adjusted to the entity’s long-term strategic vision.

Data management: is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving, and disposal of data and information. It includes the processes, functions, standards, and parameters that ensure the effective and efficient use of data and information to enable the organization to achieve its goals.

Demand management: it is a model or process that allows responding to business needs, generating a dialogue between these areas and the information technology area. This model is based on the principle that not all demand will be approved, due to the effect of business priorities and system resource constraints.

Subcontracting: is the situation in which the person who provides the service under a contracting agreement transfers a function, a service or an activity to another provider. The succession of contracting agreements related to a specific function, service or activity is called the subcontracting chain.

Third party: this definition is considered to be an entity belonging to a corporate group (global or domestic) or an entity external to the corporate group, with which a letter of offer, a contract and/or a service level agreement has been established to perform activities, functions or services on an ongoing basis, which would be carried out by the regulated entity without the existence of such relationships.

June, 2020. Initial version

Supervision Guides | Digital identification in financial institutions

The supervisory procedures will be aimed at determining the implementation of controls that allow financial institutions to adequately identify human persons in digital and non-face-to-face form. Among other aspects, the following will be evaluated:

Governance and risk management

• The existence of risk analyses regarding the solution, formalized and communicated to the entity’s authorities, which cover at least aspects related to technology and information security.
• Due diligence of third parties and channels.

Controls applied to the operation

• The use of physical characteristics (such as facial recognition, fingerprints, iris) and/or behavioural characteristics (voice recording, gestures, etc.) as a basis for the registration of digital identification, capture by means of a system/application, and the unequivocal and unequivocal linking of the information with each user.
• The application of the following criteria for the implementation of biometric techniques:
– Universality: all people must possess this characteristic.
– Distinctiveness: two people must be sufficiently different in terms of their characteristics.
– Stability: the characteristic must remain unchanged over an acceptable period of time.
– Evaluability: the characteristic must be able to be measured quantitatively.
– Performance: the resources used for recognition should not depend on the conditions of the environment.
– Acceptability: users must be willing to use these characteristics.
– Fraud: systems based on these characteristics must be sufficiently secure to avoid being breached.

The application of controls in the taking of attributes of the identification process, which consider, among others:
• Processing times.
• The authentication algorithm to perform the match.
• Connectivity through robust encryption mechanisms.
• Anti-spoofing techniques to prevent fraud.
• Other existing sound practices.

• The execution of an information validation process, which may be carried out by the entity itself, by an official body and/or by whoever provides information technology services. In this case, compliance with the current regulatory provisions regarding the outsourcing of information technology services will also be considered.
• The definition of thresholds for the acceptance or rejection rates of the results obtained in the identification process that correspond to the risk analyses carried out.
• The application of a continuous maintenance process in the obtaining, updating and elimination of identification attributes or data fields, and of the policies that regulate access by the user to financial information and services.

Security scheme and activity log

• The implementation of an adequate scheme of segregation of duties and control due to opposition of interests for the maintenance of the parameters.
• The existence of mechanisms that ensure the traceability of the actions carried out in all stages of the digital identification process.
• The existence of functions for the exploitation of activity registers.
• The conservation of receipts of the activity records for a period of not less than 6 (six) years.

May, 2019. Initial version

Guide to the Supervision of Financial Market Infrastructures (MFIs)

In accordance with the Ordered Text (TO) “Principles for Financial Market Infrastructures”, the scope is defined for High Value Chamber, Low Value Chamber, ATM Networks and any other Infrastructure of a similar, aggregated, modified and/or complementary nature.

The supervisory procedures will be aimed at determining the implementation of the controls required by the current regulatory framework on the governance of Information Technology and Information Systems of the Argentine Financial Market Infrastructures.

The provision of outsourced computer technology services from financial institutions is complementary to those procedures that could be applied to the infrastructures reached.

They are also complementary to the obligations established for electronic clearing houses according to the applicable regulatory framework.

Among other aspects, the following will be evaluated:

• The existence of self-assessments linked to the processing environment, technology and information systems.
• The definition of formalized, clear and transparent governance mechanisms, including:

– The definition of objectives related to the safety of its operations.
– The clear allocation of responsibilities and accountability obligations.
– The formal definition of the functions and responsibilities of the highest administrative body (Board of Directors or equivalent authority), senior management and line management, with respect to the governance and management of technology and information systems.

• Periodic review of procedures and the regulatory framework.

• The execution of an established and formalized risk management process, which includes a clearly defined and approved risk tolerance policy, and addresses the operational risks associated with the management of technology and information systems.

• The existence of an Information Technology Committee that meets the following conditions:

– Formalization by means of a regulation that describes its responsibilities, which must be in line with the current OT (“Principles for Financial Market Infrastructures”).
– Minimum quarterly meeting frequency, formalised by means of minutes made known to the administrative body.

• The existence of a framework for comprehensive management that includes operational risks related to information technology and information systems.

• The definition of risk management policies, procedures and systems that allow it to identify, measure, monitor and manage the range of risks that may arise in each MFI or that are assumed by it.

• The execution of a periodic review, at least annually, of the established risk management frameworks, keeping the Board of Directors or equivalent authority informed of the conclusions of the same.

• Carrying out periodic reviews of the significant risks related to the technology and information systems to which it is exposed due to its relationship with third parties, keeping the Board of Directors or equivalent authority informed of the conclusions of the same.

• The implementation of a framework to control the degree of exposure to potential risks linked to information systems, information technology and their associated resources, also considering aspects related to cyberattacks and cyber resilience, including:

– The existence of documentation that confirms the risk analyses formally carried out.
– Managing the correction of weaknesses that expose the entity to high or unacceptable levels of risk.
– The identification, monitoring and management of the risks that the main participants, other MFIs and those who provide services may represent for their activities.
– The identification, control and management of the risks that its activities may represent for other MFIs.
– The clear definition of the responsibilities linked to the operational risk related to information technology, information systems and their associated resources, and an effective communication of the results, of all the previously mentioned aspects, to the superiority.

• Carrying out capacity analyses, which allows it to adapt to managing an increase in voltage volumes while meeting its service level objectives.

• The existence of comprehensive physical and information security policies, reviewed at least annually.

• The existence of established processes for the planning, implementation and continuous improvement of security management and control processes on the protection of information assets.

• The preparation of operational plans that contemplate the critical factors for effective control of applications, which must be regularly monitored, in order to verify the existence of possible changes that could affect them.

• The inclusion, in the initial stages of new IT projects, of requirements to different areas of the organization (Internal Audit, Protection of Users of Financial Services, etc.), which ensure the design and implementation of appropriate security controls and records once implemented.

• The establishment of a service continuity plan, which meets the following conditions:

– Is based on the results of a risk assessment to determine the impact of different events, both in terms of the magnitude of damage and the recovery period and the return to normality.
– A secondary site is established for the provision of critical services.
– Critical services are restored within two hours of the incident.
– The transactional settlement is completed before the end of the day, even in extreme circumstances.
– The solution adopted is tested at least annually.
– A technological contingency plan is included.

Specific Supervision Guide: Electronic Clearing Chambers

The supervision procedures will be intended to determine the implementation of the controls required by the regulatory framework in force for clearing houses:

• The implementation of measures that ensure high availability and resilience of the service:

or the daily compliance with the cut-off schedules of processes defined in the Model and Conceptual Design documents of each product.
– The availability of the systems so that the member entities can exchange all their transactions within the defined operating windows.
– The processing of all transactions within the daily operating window on 99% of the days of the year, and a delay of no more than 2 (two) hours in the event of failures.
– The incorporation of sufficient redundancy measures in the design of each layer of its architecture. – Measurement, planning and updating of processing, memory and storage capacity according to market needs.

• The application of continuity measures for the operation of the facilities and infrastructure, which reach:
– The continuity of the electrical service and the existence of systems for the monitoring of equipment and the provision of electricity.
– The design of the networks in such a way as to allow the continuity of communications with the alternative processing center and those who make up the system.

• The establishment of equipment and systems maintenance services.

• The existence of alternative communications procedures in the event of failures in the main means of access.

• The definition of appropriate logical security measures for electronic cameras including:

– The encryption of the information transmitted through the links that interconnect the Electronic Cameras with each other and with financial institutions, the use of appropriate algorithms and the definition of specific processes for the exchange of keys and the authentication of information.
– Implementing security policies and access control mechanisms across camera operating systems, databases, and applications.
– Audit logs of the use of applications and/or utilities of the system.
– The implementation of a separation of environments between production and the development, test or other environments.

• The definition of adequate physical security measures in the processing centres (main and alternative), including, at least:

– General security of the building
– Systems scope access control
– Fire detection, warning and extinguishing system
– Cooling systems

• The existence, formal approval and periodic updating of a contingency plan that allows the restoration of the service from its usual place, or its alternative place of operation, with a maximum delay of 2 (two) hours with respect to the daily operation window.

• Carrying out complete contingency tests at least twice a year.

• The formalization of contractual relations with third parties that provide services to the chamber, which includes termination clauses and mechanisms for the continuity of the service.

• The implementation of a data protection scheme that guarantees at least:

– Obtaining backup versions of the processed information.
– Adequate critical storage.
– Periodic random testing and retrieval to ensure the quality of the contents of the receipts.
– The definition of 2 (two) Crisis Committees that will be in charge of managing the critical situation linked to the difficulties of the members to settle their balances. In addition, among other aspects, the following must be considered:

• The existence of self-assessments linked to the processing environment, technology and information systems.

• The generation of formalized, clear and transparent governance mechanisms, which include the formal definition of the functions and responsibilities of the highest administrative body (Board of Directors or equivalent authority), of Senior Management and Line Management, the definition of objectives related to the safety of their operations, and the clear assignment of responsibilities and accountability obligations.

June, 2020. Initial version

Information Loss Prevention (DLP) Monitoring Guide

Information loss prevention (DLP) is understood as the set of technological tools and processes aimed at detecting, protecting, monitoring and managing sensitive information, in order to prevent it from being accessed by unauthorized personnel.

The supervisory procedures will be aimed at determining the implementation of controls that allow the entities to have an adequate conceptual framework for the prevention of loss of information. Among other aspects, the following will be evaluated:

General Aspects

• The existence of policies that determine guidelines for hiring, dismissal and confidentiality agreements of information, with the personnel and service providers of the organization, even after not being part of it.
• The application of a clear definition and communication of security policies and confidentiality agreements accepted and signed by all users.
• The existence of procedures that establish guidelines and obligations that clearly indicate to the user within what limits their activity will be carried out.
• The inclusion in the global security strategy of aspects related to the prevention of information loss.
• The inclusion of initiatives and awareness-raising activities related to the prevention of data loss that contemplate, among other aspects, responsibility in the management of information.
• The existence of a regulatory framework that establishes general guidelines for the entire life cycle of information.
• The definition of a continuous identification process, with the aim of recognizing the points of entry and exit of information.
• Have a classification of the information that serves as a basis for the application of protection measures.
• The implementation of techniques that allow continuous monitoring of the information.
• The inclusion within the incident management process of events related to information leakage.
• Carrying out periodic audits to verify compliance with the aforementioned aspects, reporting the conclusions of the same to the Board of Directors or equivalent authority.

DLP Controls

• The existence of rules and procedures for the control and management of data where measures are defined to protect confidential information in the different stages (transit, rest, in users’ computers and in third-party services).

Data in transit

• The existence of controls that prevent unencrypted data from leaving the internal network area, depending on its classification.
• The establishment of mechanisms that ensure the exchange of data with third parties.
• Logging and monitoring network traffic to identify and investigate inappropriate transfers of sensitive data.
• The application of secure mechanisms for remote access to the organization’s network.
• Carrying out Internet access controls.
• The implementation of security mechanisms for physical means in transit and in custody.

Data at rest

• The existence of mechanisms for encrypting confidential data based on the classification of the information.
• The definition of controls that, according to the classification of the information, ensure the use of encrypted means for the extraction of data.
• The definition of safe processes for the disposal of equipment and storage media.

Data on user computers

• The existence of disk and device encryption techniques.
• The definition of secure configurations on devices that are in the possession of users.
• The definition of procedures that clearly establish responsibilities in the destruction and disposal of information with its proper record.

Data on third-party services

• The execution of risk analyses that contemplate specific threats in the use and extraction of information.
• The existence of encryption techniques for data at rest and in transit based on the classification of the information.
• The existence of control mechanisms that allow the entity to monitor, among other aspects, the activities related to the service provided, the relevant security incidents and the result of the execution of the data safeguards.

June, 2020. Initial version