Bank of Zambia Cyber and Information Risk Management Guidelines 2023

# REPUBLIC OF ZAMBIA
## GOVERNMENT GAZETTE

**Published by Authority**

Price: K15.00 net  
Annual Subscription: —K400.00

---

**No. 7240] Lusaka, Friday, 19th May, 2023 [Vol. LIX, No. 30**

GAZETTE NOTICE NO. 668 OF 2023

[112904]

---

The Bank of Zambia Act  
(Cap 360 of the Laws of Zambia)  
The Banking and Financial Services Act, 2017  
The National Payment Systems Act, 2007  
The Credit Reporting Act, 2018  

**The Bank of Zambia Cyber and Information Risk Management Guidelines, 2023**

---

## PART I:

### 1 PRELIMINARY

IN EXERCISE of the powers contained in Section 167 (1) of the Banking and Financial Services Act (BFSA) No.7 of 2017, Section 43 (1) of the National Payment Systems Act (NPSA) No.1 of 2007 and Section 63 of the Credit Reporting Act of 2018, the following Guidelines are hereby made:

### 2 SHORT TITLE

These Guidelines may be cited as the Bank of Zambia Cyber and Information Risk Management Guidelines, 2023.

### 3 INTERPRETATION

In these Guidelines unless the context otherwise requires:

- **Asset** – means the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.
- **Availability** – means information assets are resilient and accessible when required.
- **Bank** – means the Bank of Zambia as established by the Bank of Zambia Act, Chapter 360 of the Laws of Zambia.
- **Business Continuity** – refers to capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
- **Business Continuity Plan** – means a comprehensive, documented plan of action that sets out procedures and establishes the processes and systems necessary to continue or restore the operation of an organisation in an event of a disruption.
- **Cloud computing** – means service and delivery model for enabling on-demand network access to a shared pool of configurable computing resources (servers, storage, and services). “The cloud” refers to servers that are accessed over the Internet, and the software and databases that run on those servers.
- **Confidentiality** – means information assets are only accessible by those authorised to have access.
- **Credit reporting agency** – has the meaning assigned to the words in the Credit Reporting Act of 2018.
- **Critical information** – has the meaning assigned to the words in The Cyber Security and Cyber Crimes Act of 2021.
- **Critical information infrastructure** – has the meaning assigned to the words in The Cyber Security and Cyber Crimes Act of 2021.
- **Cyber** – has the meaning assigned to the words in The Cyber Security and Cyber Crimes Act of 2021.
- **Cyber and Information Security** – means the protection of cyber and information assets by addressing threats to information processed, stored, and transported by internetworked information systems.
- **Cyber and information security incident** – has the meaning assigned to the words in The Cyber Security and Cyber Crimes Act of 2021.
- **Cyber Attack** – means an attempt to gain unauthorized access to a computer, computing system, or computer network for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure.
- **Cybercrime** – has the meaning assigned to the words in the Cyber Security and Cyber Crimes Act of 2021.

---

## 390 Zambia Gazette 19th May, 2023

- **Cyber security** – has the meaning assigned to the words in The Cyber Security and Cyber Crimes Act of 2021.
- **Data** – means pieces of information from which “understandable information” is derived.
- **Financial service provider** – has the meaning assigned to the words in the Banking and Financial Services Act (BFSA) No.7 of 2017.
- **Information** – means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual.
- **Integrity** – means the property that data or information have not been altered or destroyed in an unauthorized manner.
- **Internal Controls** – Means a process effected by a regulated entity’s board of directors, management and staff designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.
- **Material Outsourcing** – means outsourcing arrangements, which if disrupted, have the potential to significantly impact the business operations, reputation or profitability of a regulated entity.
- **Payment System** – has the meaning assigned to the words in the National Payment Systems Act (NPSA) No.1 of 2007.
- **Payment System Business** – has the meaning assigned to the words in the National Payment Systems Act (NPSA) No.1 of 2007.
- **Regulated entity** – Means a financial service provider, payment system, payment system business, and credit reference agency.
- **Risk appetite** – Means the aggregate level and types of risk a regulated entity is willing to assume, decided in advance and within its risk-taking capacity, to achieve its strategic objectives and business plan.
- **Threat** – means any circumstance or event with the potential to adversely impact regulated entity operations.
- **Virtualisation** – means the simulation of the software or hardware upon which other software runs. This simulated environment is called a virtual machine.
- **Vulnerability** – means weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

### 4 APPLICATION

The Bank is cognisant of the differences in the nature, size, and complexity of regulated entities. In this regard, these Guidelines are issued on an apply or explain approach with the expectation that bigger and more complex entities will fully apply the Guidelines. The entities that will not be able to apply all the guidelines are required to provide an explanation on how they manage the cyber and information risk that they are exposed to in the pursuit of their business objectives. The Guidelines shall apply to all Regulated Entities.

---

## PART II

### 5 PREAMBLE

The technology landscape of the financial sector is transforming rapidly and the underlying information technology (IT) infrastructure supporting financial services has evolved in scope and complexity. Regulated entities are leveraging on digital platforms to increase operational efficiency and to deliver better services. The increased dependence on digital platforms exposes regulated entities to cyber and information risk. There is, therefore, a need for regulated entities to strengthen their technological resilience against operational disruptions to maintain confidence in the financial system. These Guidelines outline the Bank of Zambia’s (the Bank) minimum requirements regarding the regulated entities management of cyber and information risk.

The Guidelines cover five cyber and information risk control areas namely Identify, Protect, Detect, Respond and Recover anchored on the National Institute of Standards and Technology (NIST).

### 6 PURPOSE OF GUIDELINES

The purpose of these Guidelines is to prescribe minimum requirements to regulated entities on cyber and information risk management.

---

## PART III

### 7 CYBER AND INFORMATION RISK GOVERNANCE

Cyber and information risk governance is one of the core components of the Cyber and Information Risk Framework which sets the program for cyber and information risk management and controls. The overall Cyber and Information Risk Framework should include clearly defined responsibilities for the management of cyber and information risk across the regulated entity with an appropriate risk management structure to ensure that the risk is within the parameters set by the board. The structure should be commensurate with the size, complexity, and diversity of the entity’s activities.

In addition, the structure should facilitate effective board and senior management oversight and proper execution of risk management and control processes. At a minimum, the risk governance structure should include board of directors, board risk management committee, senior management, management risk committees, risk management function and chief information security officer. The Bank therefore expects the regulated entity to ensure the following are implemented:

---

## 19th May, 2023 Zambia Gazette 391

### 7.1 ROLES AND RESPONSIBILITIES OF THE BOARD

The regulated entity’s board shall:

1. Set a tone from the top and cultivate a strong culture of risk awareness that emphasizes and demonstrates the importance of cyber and information risk management.
2. Provide direction to senior management on what cyber resilience should achieve.
3. Establish appropriate cyber and information risk management governance structures.
4. Establish and implement a cyber and information risk management strategy.
5. Approve the risk appetite and tolerance for cyber and information risk considering the risk landscape.
6. Provide senior management responsible for executing the cyber and information risk management strategy, sufficient authority, and resources.
7. Approve the cyber and information risk management framework and ensure that cyber and information risk is effectively managed.
8. Review and approve work plans for cyber and information risk, business continuity and disaster recovery.
9. Approve and communicate the cyber and information risk management policies.
10. Regularly review cyber and information risk management policies and strategies.
11. Provide oversight in the implementation of internal controls and risk management practices.
12. Review the reports on performance and outcomes of cyber resilience and provide intervention where necessary including policy direction.
13. Ensure that measures are put in place for collaboration and information sharing on cyber and information risk incidents with relevant stakeholders.
14. Consider material changes to the regulated entity’s products, services, policies, or practices, and how the threat landscape affects its cyber risk profile.

### 7.2 ROLES AND RESPONSIBILITIES OF SENIOR MANAGEMENT

The regulated entity’s senior management shall:

1. Implement the cyber and information risk management framework and strategy.
2. Establish an appropriate committee headed by a senior officer from a control function to effectively manage cyber and information risk.
3. Clearly assign and communicate the responsibilities and authorities for roles relevant to cyber and information risk management.
4. Regularly apprise the board of salient and adverse cyber and information risk developments and incidents that are likely to have a major impact on the regulated entity in a timely manner.
5. Have sufficient number of skilled staff for the management of cyber and information risk, who should be subjected to enhanced background checks.
6. Collaborate with relevant stakeholders to share cyber threats, incidents, and attacks that the regulated entity encountered.
7. Oversee the evaluation and management of cyber and information risks introduced by third party service providers. The regulated entity may require attestation/assurance reports provided by reputable independent auditors for service providers.
8. Designate an appropriately qualified senior officer as a Chief Information Security Officer (CISO) independent from day-to-day information technology operations to be responsible and accountable for executing the cyber and information risk management framework with sufficient authority and resources.
9. Determine the best reporting option of the CISO depending on factors, such as, vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.
10. Assign the designated CISO with the responsibility to oversee and enforce cyber and information risk management policies, frameworks, and other technology-related regulatory requirements.
11. Monitor performance and outcomes of cyber resilience and intervene if necessary to ensure that specified direction is followed.
12. Review and assess risks associated with changes in the cyber and information risk landscape.
13. Establish a Security Operation Center (SOC) or at a minimum setup mechanism to monitor cyber and information security threats on an ongoing basis, and to promptly detect, analyse, and respond to cyber and information security incidents.
14. Cultivate a strong level of awareness of and commitment to cyber resilience by conducting comprehensive cyber and information risk awareness training programmes to its members of staff and other stakeholders.

---

## 292 Zambia Gazette 19th May, 2023

### 7.3 POLICIES, STANDARDS AND PROCEDURES

The regulated entity shall ensure:

1. Policies for managing cyber and information risk are approved by the Board and regularly reviewed.
2. Policies cover the cyber and information risk threat environment and its potential impact, and the principles for implementing cyber and information risk measures.
3. Policies include the approach for managing cyber and information risk, and the mechanisms for determining and monitoring the level of exposure to threats.
4. Policies are consistent with relevant laws and regulations, as well as international cyber and information risk management standards and best practice.
5. Responsibilities and governance structures for cyber and information risk management are clearly outlined.
6. Policies include provisions for cyber and information risk awareness and training programmes for relevant stakeholders.
7. Policies include provisions for collaboration and information sharing arrangements within the regulated entity and other relevant stakeholders.
8. Cyber and information risk management policies are consistent with other risk management policies including business continuity management, outsourcing, emerging initiatives, and change management.
9. Specific and detailed procedures are developed to cover all cyber and information risk management related issues.
10. That senior management implement compliance processes to verify that information and cyber risk management policies and procedures are enforced.
11. Procedures are regularly reviewed and updated, taking into consideration the evolving cyber and information risk threat landscape.

---

## PART IV

### 8 IDENTIFY

This process involves identification of information assets that support critical functions and assessment of threats and vulnerabilities to ensure that a regulated entity understands its cyber and information risk. This will enable a regulated entity to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

The Bank expects the regulated entity to undertake the following in identifying the cyber threats and attacks:

#### 8.1 ASSET MANAGEMENT

The regulated entity shall ensure that:

1. The data, personnel, devices, systems, and facilities that enable the achievement of business purposes are identified and managed consistent with their relative importance to business objectives and the risk strategy.
2. Inventory of physical devices, applications and systems is maintained and updated regularly.
3. Third party information systems are catalogued.
4. Communication and data flows are mapped to cyber and information risk management roles and responsibilities for the entire workforce and relevant stakeholders.
5. Cyber and information risk management roles and responsibilities for the entire workforce and relevant stakeholders are established.

#### 8.2 BUSINESS ENVIRONMENT

The regulated entity shall:

1. Understand its mission, objectives, stakeholders, and activities. These should be prioritized and communicated to all relevant stakeholders to inform its cyber and information risk management.
2. Identify and communicate its role in the supply chain to relevant stakeholders.
3. Identify and document all processes that are dependent on third-party service providers, its interconnections, and update this information on a regular basis.
4. Identify and communicate its role in critical information infrastructure and industry to the relevant stakeholders.
5. Establish dependencies and vital functions for delivery of critical services.
6. Establish resilience requirements by identifying dependencies and critical functions for delivery of critical.
7. Establish resilience requirements to support the delivery of critical services.
8. Maintain an up-to-date inventory of all the critical functions, key roles, processes, information assets, third-party service providers and interconnections.

---

## 19th May, 2023 Zambia Gazette 393

9. Create and maintain a network topology of all the existing infrastructure that support critical functions and identify external links.  
10. Conduct risk assessments before deploying new and/or updated technologies, products, services, and connections to identify potential threats and vulnerabilities.  
11. Maintain an inventory of all individual users, system accounts, privileged and remote access accounts, to be aware of the access rights to information assets and supporting systems.  
12. Put in place mechanisms to ensure access to threat and vulnerability information -sharing sources.  
13. Have capabilities in place to gather cyber and information risk threat information from internal and external sources such as application, system, network logs and security products.  
14. Gather, analyse, continuously review intelligence data on cyber and information threats, and update with new threats and vulnerabilities. The risk reports should be submitted to the Board and senior management to facilitate risk management.  
15. Incorporate lessons learned from its analysis of cyber and information risk, into the employee training and awareness programmes.

### 8.3 RISK ASSESSMENT

The regulated entity shall:

1. Understand the cyber and information risk to operations including mission, functions, image or reputation, assets, and stakeholders.  
2. Identify and document asset vulnerabilities, threats both external and internal, determine the likelihood and impact of risks and assign appropriate risk responses to identified risks.  
3. Conduct regular assessments on the effectiveness of the control environment in addressing cyber and information risks and determine any residual risks.  
4. Have an enterprise risk management framework to identify risks and conduct risk assessments on a regular basis and of all the critical functions, key roles, processes, information assets, third-party service providers and interconnections to determine, classify and document their level of criticality.  
5. Revise risk assessments of cyber and information risks and the control infrastructure in accordance with the changes and trends in the threats and vulnerability landscape.  
6. Identify existing and emerging cyber and information risk vulnerabilities and threats pertaining to critical and sensitive information assets and implement remedial measures in a timely manner.  
7. Conduct risk assessments before deploying new and/or updated technologies, products, services, and connections to identify potential threats and vulnerabilities.  
8. Document cyber and information risk identification, measurement and assessment methodologies which should be approved by senior management.  
9. Report information obtained from risk assessment activities to senior management and the board to support informed decision-making.

### 8.4 CYBER AND INFORMATION RISK MANAGEMENT

The regulated entity shall:

1. Establish an Enterprise Risk Management Framework for the management of cyber and information risks in accordance with the three lines of defence principle.  
2. Ensure that the first line of defence manages cyber and information risks in its day-to-day operations.  
3. Have a function with cyber and information risk management expertise that provides control and compliance oversight to the first line of defence.  
4. Establish an internal audit function that is adequately resourced and has relevant technology audit competencies to provide assurance over cyber and information risk and where inadequate, the board shall consider using external independent auditors.  
5. Conduct cyber and information audits commensurate with the complexity, sophistication and criticality of systems and applications at a planned interval.

---

## PART V

### 9 PROTECT

This process involves the implementation and maintenance of safeguards aimed at containing the impact of cyber and information risk events. This is to preserve the confidentiality, integrity, and availability of the regulated entity’s information assets.

The Bank expects the regulated entity to undertake the following in protecting cyber threats and attacks:

---

## 394 Zambia Gazette 19th May, 2023

### 9.1 ACCESS CONTROL

#### 9.1.1 IDENTITIES AND CREDENTIALS

At a minimum, the regulated entity shall:

1. Design access controls to minimize potential cyber and information risk exposure resulting from unauthorized use of resources.
2. Provide unique identifiable credentials to all users, devices, and systems that access information assets.
3. Issue, manage, verify, revoke and audit identities and credentials for authorized users, devices, and processes.
4. Grant access rights and system privileges according to the roles and responsibilities of staff, contractors, service providers and other relevant stakeholders.
5. Apply the principles of ‘never alone’, ‘segregation of duties’, and ‘least privilege’ when granting access to information assets.
6. Implement job rotation and cross training for security administration functions.

#### 9.1.2 PHYSICAL AND REMOTE ACCESS

At a minimum, the regulated entity shall:

1. Provide physical security of people, property, and assets, such as hardware, software, network, and data, from natural disasters, burglary, theft, terrorism, and other events that could cause damage or loss.
2. Establish physical security measures to prevent unauthorised access to systems and equipment.
3. Revoke access to all assets immediately it is no longer required.
4. Maintain an access log and limit access to the data centres to authorized persons only.
5. Secure and monitor the perimeter of the data centres, facilities, and equipment rooms.
6. Secure remote connections to prevent data leakage.
7. Implement strong user authentication for remote access, such as multi-factor authentication where appropriate to safeguard against unauthorised access to its systems.
8. Grant remote access to authorised devices that have been secured according to approved security standards.
9. Secure and maintain the logs of all remote connections to facilitate audit trail.

Protect logging facilities and log information against tampering and unauthorized access.

#### 9.1.3 ACCESS PERMISSIONS AND AUTHORISATIONS

At a minimum, the regulated entity shall:

1. Apply stringent selection criteria and thorough screening when appointing staff to perform critical operations and security functions.
2. Monitor staff with elevated system access entitlements and have all their systems’ activities logged and reviewed.
3. Restrict privileged users from accessing system logs in which all activities are captured.
4. Prohibit third parties from gaining access to systems without authorization, close supervision, and monitoring, and restrict access in line with service level and non-disclosure agreements.
5. Protect backup data from unauthorised access.
6. Perform regular reviews of user access privileges to verify that appropriate rights are granted according to the ‘least privilege’ principle.
7. Enforce strong password controls across its applications and systems.

#### 9.1.4 NETWORK INTEGRITY

At a minimum, the regulated entity shall:

1. Install network security devices, such as, firewalls to secure the network between the regulated entity and the Internet, as well as connections to third parties.
2. Deploy intrusion prevention systems in its network to detect and block malicious activities.
3. Implement network access controls to detect and prevent unauthorised users and devices from connecting to its network.
4. Regularly review network access control rules for network devices, such as, firewalls, routers, switches, and access points to ensure they are in line with the security policy and best practice.
5. Isolate critical business system environment from its general-purpose system environment using physical and logical controls, or equivalent controls.
6. Review its network architecture, including the network security design, as well as system and network interconnections, on a periodic basis.

---

## 19th May, 2023 Zambia Gazette 395

### 9.1.5 SYSTEMS SECURITY

The regulated entity shall:

1. Outline security baseline configurations of hardware and software which should be reviewed regularly for relevance and effectiveness.
2. Uniformly apply security standards on all systems and identify deviations, and address risks in a timely manner.
3. Implement appropriate endpoint protection solutions to protect the regulated entity from malware infection and address common delivery channels of malware.
4. Ensure that anti-malware solutions are kept up-to-date, and the systems are regularly scanned for malicious files or abnormal activities.
5. Implement security measures, such as, application whitelisting to ensure only authorised software is installed on the systems.
6. Conduct a risk assessment and implement appropriate measures to secure its Bring-Your-Own-Device (BYOD) environment before allowing staff to use their personal devices to access the regulated entity network.
7. Formulate a BYOD strategy/policy to govern the management of personal devices connected to the network.

### 9.1.6 VIRTUALISATION SECURITY

This process involves simulation of software or hardware upon which other software runs. The simulated environment is called a virtual machine (VM). Regulated entities using virtualisation to optimise the use of computing resources and to enhance resilience by allowing several virtual machines (VMs) to support different business applications hosted on a single physical system should manage contagion impact on other VMs should there be a system failure or security breach in one of the VMs.

The regulated entity shall:

1. Establish security standards for all components of a virtualisation solution.
2. Restrict administrative access to the virtual environment infrastructure.
3. Develop policies and procedures to manage virtual images and snapshots. These shall include details that govern the security, creation, distribution, storage, use, retirement and destruction of virtual images and snapshots.

### 9.1.7 SECURITY OF DIGITAL SERVICES

A regulated entity offering digital financial services should be aware of its unique risks and put in place additional measures aimed at addressing such risks.

The regulated entity shall:

1. Maintain customer and counterparty information, and transactions with utmost confidentiality and integrity.
2. Minimise disruption and ensure reliability of services delivered via digital channels.
3. Maintain critical digital financial services in high availability with reasonable response time to customer requests.
4. Authenticate users or devices and the authorisation of transactions.
5. Monitor anomalous transactions and ensure audit trail.
6. Encrypt all confidential information prior to transmission over the network for both client and host application systems.
7. Request users to verify details of the transaction prior to execution.
8. Secure user and session handling management.
9. Be able to capture the origin and destination of each transaction.
10. Provide timely notification to sender/receiver that is sufficiently descriptive of the nature of the transaction.
11. Bind the Multi-Factor Authentication (MFA) solution to the customer’s account.
12. Notify customers of any activation and changes to the MFA solution via the customers’ verified communication channel, in a timely manner.
13. Prompt a payer/sender to confirm details of the identified beneficiary and amount of any transaction.
14. Authenticate the code generated by payer/sender that should be specific to the confirmed identified beneficiary and amount.
15. Provide a convenient means for customers to promptly suspend their account in an event of suspected fraud.
16. Provide its customers with adequate notices of the safeguards.
17. Clearly define and understand its responsibilities and those of its service providers in the digital financial services arrangements.
18. Retain sufficient and relevant digital service transaction logs for investigations and forensic purposes in line with relevant laws and regulations.

### 9.1.8 CHANGE AND PATCH MANAGEMENT

A regulated entity must ensure that critical systems are not running on outdated systems with known security vulnerabilities or end-of-life (EOL) technology systems.

---

## 396 Zambia Gazette 19th May, 2023

The regulated entity shall:

1. Continuously monitor and implement latest patch releases in a timely manner.
2. Test patches before applying to production.
3. Identify critical technology systems that are approaching EOL for further remedial action.
4. Put in place a change management framework to ensure that only authorized changes are applied.
5. Identify and conduct risk assessment of all technology assets for potential vulnerabilities arising from undeployed patches or EOL systems.
6. Specify turnaround time for deploying patches according to the severity of the patches; and
7. Adhere to the workflow for end-to-end patch deployment processes including approval, monitoring, and tracking of activities.

### 9.1.9 OUTSOURCING FUNCTIONS TO THIRD PARTIES

A regulated entity in considering the use of a third party to perform some of its functions, must fully understand the inherent risks and the requirements of relevant laws and regulations.

The regulated entity shall:

1. Conduct a comprehensive risk assessment, due diligence and seek approval from the Bank prior to engaging in a material outsourcing arrangement.
2. Define, implement, and monitor cyber and information security controls for outsourced functions in line with approved policy.
3. Periodically measure and evaluate the effectiveness of the defined cyber and information risk controls for an outsourced service or function.
4. Logically segregate data held by a third party in the cloud from other data held by the cloud service provider.
5. Implement business continuity requirements in accordance with the approved policy.
6. Retain the right to audit and/or access to appropriate assurance reports on cyber and information risk controls.
7. Include provisions in service level agreements with third parties that facilitate review of cyber and information risk controls of the third-party service provider.
8. Include provisions in the agreements with the third-party service providers for the return of data and irreversible deletion of the data on termination of the relationship.
9. Clearly define and understand its responsibilities and that of the service provider in outsourcing arrangements.
10. Implement appropriate safeguards on customer and counterparty information, and proprietary data when using outsourcing services to protect against unauthorised disclosure and access.
11. Include provisions for safeguarding information in contracts for all outsourcing arrangements with critical IT service providers.
12. Include cyber and information risk assessment as part of due diligence process for outsourcing arrangements with critical IT service providers, including related subcontracting arrangements.

### 9.1.10 TESTING

To promptly identify all vulnerabilities and cyber and information risk to operations and IT assets.

The regulated entity shall:

1. Implement a vulnerability testing management strategy approved by the Board.
2. Conduct vulnerability assessment at least quarterly or when there is a significant change to the regulated entity’s information processing infrastructure or when vulnerabilities are made known.
3. Conduct annual intelligence-led penetration tests on its internal and external network infrastructure as well as critical systems. The penetration testing shall reflect extreme but plausible cyber-attack scenarios based on emerging and evolving threat scenarios.
4. Engage suitably accredited penetration testers and service providers to perform this function.
5. Document and escalate the outcome of the penetration testing exercise to senior management in a timely manner to identify and monitor the implementation of relevant remedial actions.
6. Test backups periodically and according to the entity’s policy.
7. Regularly test response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) in accordance with the entity’s policy.
8. Test detection processes during development, implementation and on an ongoing basis.
9. Analyze and record lessons of all tests, to inform changes to the strategy and framework going forward.