Letter to all OFIs: Issuance of Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (OFIs)

CENTRAL BANK OF NIGERIA Central Business District Cadastral Zone AO P.M.B 0187, Garki Abuja OTHER FINANCIAL INSTITUTIONS SUPERVISION DEPARTMENT Tel: 09-46235439 e-mal: ofisd@cbn.gov.ng Website: www.cbn.gov.ng OFI/DOA/CON/ACT/004/155 June 29, 2022 LETTER TO ALL OTHER FINANCIAL INSTITUTIONS ISSUANCE OF RISK-BASED CYBERSECURITY FRAMEWORK AND GUIDELINES FOR OTHER FINANCIAL INSTITUTIONS (OFIs) As a result of recent increase in the number and sophistication of cybersecurity threats against financial institutions, especially the Other Financial Institutions (OFIs), it has become mandatory for institutions to strengthen their cyber defenses if they are to remain safe and sound.

Consequently, the Central Bank of Nigeria (CBN) hereby issues the attached Risk-Based Cybersecurity Framework and Guidelines for OFIs, which represents the minimum requirements to be put in place by all OFIs.

The effective date for full compliance with the provisions of the guidelines is January 1, 2023 and all OFIs are expected to comply on or before that date.

Please, be guided accordingly.

Yours faithfully, siegbu Director, Other Financial Institutions Supervision Department RISK-BASED CYBERSECURITY FRAMEWORK AND GUIDELINES FOR OTHER FINANCIAL INSTITUTIONS (OFIs) JUNE 2022

Table Of Contents

Table of Contents
1.	Introduction
2.	Cybersecurity Governance and Oversight
3.	Cybersecurity Risk Management System
4.	Cybersecurity Operational Resilience
5.	Metrics, Monitoring & Reporting .
6.	Compliance with Statutory and Regulatory Requirements .
Appendix I: Cybersecurity Self-Assessment Tools .
Appendix II: Know Your Environment: .
Appendix III: Enhancing Cybersecurity Resilience
Appendix IV: Informative References .
Appendix V: Cyber-Threat Intelligent Sources
Appendix VI: Reporting Templates
Acronyms
Glossary

1. Introduction

The safety and soundness of Other Financial Institutions (OFIs) require that they operate in a safe and secure environment. Hence, the platform on which information is processed and transmitted should be managed in a way that ensures the confidentiality, integrity and availability of information as well as the avoidance of financial loss and reputation risk, amongst others.

Considering the reliance of financial institutions on information and communications technology (ICT) to operate their business and the rising incidences of cyber threats and attacks targeted at financial institutions, it has become necessary to implement cybersecurity measures to mitigate against those risks.

In recent times, threats such as ransomware, targeted phishing attacks and Advanced Persistent Threats (APT) have become prevalent, demanding that financial institutions, including OFIs, strengthen their cyber resilience and take proactive steps to secure their critical information assets to ensure their safety and soundness.

Cybersecurity resiliencies considered as an organization's ability to maintain normal operations despite all cyber threats and potential risks in its environment. Resilience provides an assurance of sustainability for the organisation using its governance, interconnected networks and culture.

It is against the background of the foregoing that the CBN hereby issues this framework and Guidelines for OFIs. The Guidelines outline the minimum requirements that OFIs are required to observe in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk.

The purpose of the Guidelines is to: a. Create a safer and more secure cyber environment that supports information system security and promote stability of the OFI sub-sector b. Contribute towards the prevention and combating of cybercrime in the OFI sub-sector; Promote the adoption and implementation of best practices and appropriate cybersecurity c.

standards by OFIs; d. Promote and maintain public trust and confidence in the OFI sub-sector e. Promote a cybersecurity culture and awareness through continuous capacity building and skills development.

OFIs should note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.

The framework provides a risk-based approach to managing cybersecurity risk. The document comprises six parts: Cybersecurity Governance and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring & Reporting.

3 2. Cybersecurity Governance And Oversight

2.1 Cybersecurity governance sets the agenda and boundaries for cybersecurity management and controls through defining, directing and supporting the security efforts of the OFIs. It spells out the responsibilities of the Board of Directors, Senior Management and Chief Information Security Officer (CISO). This entails the development and implementation of policies, procedures and other forms of guidance that the OFIs and their stakeholders are required to follow.

2.2 The responsibility for the provision of oversight, leadership and resources to ensure that cybersecurity governance becomes an integral part of corporate governance rests with the Board of Directors of the OFI. In this regard, the Board shall ensure that cybersecurity is completely integrated with business functions and, well managed across the OFI.

2.3 Furthermore, the Board shall ensure that cybersecurity governance not only aligns with corporate and Information Technology (IT) governance, but is cyber-threat intelligence driven, proactive, resilient and communicated to all internal and external stakeholders.

2.4 The responsibilities of the Board of Directors in relation to cybersecurity include: 2.4.1. The Board of Directors directly or through its appropriate Committee(s) shall have oversight and overall responsibility for the OFI's cybersecurity programme.

2.4.2. The Board shall promote a cybersecurity conscious culture within the institution through robust oversight and engagement on cybersecurity.

2.4.3. The Board shall ensure that cybersecurity is completely integrated with business functions and well managed across the OFI.

2.4.4. The Board shall ensure that cybersecurity governance aligns with corporate and Information Technology (IT) governance. It shall also ensure that cybersecurity governance is cyber-threat intelligence driven, proactive, resilient and communicated to all internal and external stakeholders.

2.4.5. All board members are required to understand the nature of their institution's business and the cyber threats involved.

2.4.6. Establish the institution's vision, risk appetite and overall strategic direction with regards to cybersecurity.

2.4.7. Formulate cybersecurity strategy, policy, procedures, guidelines and set minimum standards for the institution. The Cybersecurity Policy shall be documented and made available for review by the CBN and NDIC Examiners.

2.4.8. Allocate adequate resources for cybersecurity based on the institution's structure 2.4.9. Review management's determination of whether the institution's cybersecurity preparedness is aligned with its cyber risks 2.4.10. Establish or review cybersecurity risk ownership and management accountability and assign ownership and accountability to relevant business lines and not just the IT function 2.4.11. Approve and continuously review the cybersecurity strategy, governance charter, policy and framework which shall provide direction on how to achieve the institution's cybersecurity goals. The strategy shall align with the institution's overall corporate strategy 2.4.12. Ensure that the cybersecurity policy applies to all of the institution's branches, operating entities, including subsidiaries and joint ventures 2.4.13. Review on a regular basis the implementation of the institution's cybersecurity framework and implementation plan, including the adequacy of existing mitigating controls 2.4.14. Incorporate cybersecurity as a standing agenda item at Board meetings.

2.4.15. Review the results of management's ongoing monitoring of the institution's exposure to and preparedness for cyber threats.

2.4.16. Ensure that cybersecurity processes are conducted in line with business requirements, applicable laws and regulations while ensuring security expectations are defined and met across the OFI.

2.4.17. Receive and review on a quarterly basis reports submitted by Senior Management. The report shall detail the overall status of the cybersecurity programme to ensure that the Board approved risk thresholds relating to cybersecurity are being adhered to.

2.4.18. Appoint or designate a qualified individual as the "Chief Information Security Officer" (CISO) who shall be responsible for overseeing and implementing its cybersecurity programme. In the case of a Group structure, such OFI may leverage on its group CISO where the OFI is part of a group that has a CISO.

2.4.19. Ensure that the cybersecurity budget is approved.

2.5 The Responsibilities Of Senior Management Shall Include:

2.5.1. Senior Management shall be responsible for the implementation of the Board-approved cybersecurity strategy, policies, standards and the delineation of cybersecurity responsibilities.

2.5.2. Provide periodic reports (at a minimum quarterly) to the Board on the overall status of the cybersecurity, cyber risk posture/overall status of the OFI.

2.5.3. Ensure the creation of mitigation and recovery procedures to contain cyber risk incidents, reduce losses and return operations to normal 2.5.4. Implement processes and procedures to protect customer data, transactions and systems.

2.5.5. Ensure the provision of adequate, experienced and skilled staff for the management of cybersecurity.

2.5.6. Incorporate cybersecurity as a standing agenda item at Senior Management meetings.

2.5.7. Document cybersecurity incident response plan indicating the actions the institution will take during and after a security incident. The plan should address inter-alia: The roles and responsibilities of staff; a.

b. Incident detection, assessment, and reporting; c. Escalation and strategies deployed.

2.5.8 Collaborate with other institutions and the security agencies to share the latest development on cyber threats/attacks encountered by the institution 2.5.9 Create a post incident analysis framework to determine corrective actions to prevent similar incidents in the future.

2.5.10 Evaluate and manage risks introduced by third party service providers 2.5.11 Develop the cybersecurity framework for Board approval 2.5.12 Submit the Board approved cybersecurity framework to the Director, Other Financial Institutions Supervision Department for information and records.

2.6 Appointment and responsibilities of the Chief Information Security Officer (CISO): Every OFI shall appoint or designate a Chief Information Security Officer (CISO) whose responsibilities shall include the following: 2.6.1. The day-to-day cybersecurity activities and the mitigation of cybersecurity risks in the OFI.

2.6.2. Develop, oversee and implement the cybersecurity programme and strategy as approved by the Board.

2.6.3. Ensuring that the institution maintains an updated record of its users, devices, applications and their relationships, including but not limited to: 2.6.3.1. Software and hardware asset inventory; and 2.6.3.1. Network utilization and performance data.

2.6.4.

Ensuring that information systems meet the needs of the institution, and the ICT strategy, in particular information system development strategies, comply with the overall business strategies, risk appetite and ICT risk management policies of the institution.

2.6.5.

Design cybersecurity controls with the consideration of users at all levels of the organization, including internal (i.e., management and staff) and external users (i.e., contractors/consultants, business partners and service providers).

2.6.6.

Organize cybersecurity related trainings to improve technical proficiency of staff.

2.6.7.

Ensure that regular and comprehensive cyber risk assessments are conducted.

2.6.8.

Ensure that adequate processes are in place for monitoring IT systems to detect cybersecurity events and incidents in a timely manner.

2.6.9.

Reporting to the MD/CEO on an agreed interval (at least quarterly) on the following: a. Assessment of the confidentiality, integrity and availability of the information systems in the institutions.

b. Detailed exceptions to the approved cybersecurity policies and procedures.

c. Assessment of the effectiveness of the approved cybersecurity program.

d. All material cybersecurity events that affected the institution during the period.

2.6.10. Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.

2.6.11. Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.

2.6.12. Ensure frequent data backups of critical IT systems (e.g. real time back up of changes made to critical data) are carried out to a separate storage location.

2.6.13. Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.

2.6.14. Test disaster recovery and Business Continuity Plans (BCP) arrangements on an ongoing basis to ensure that the institution can continue its operations and meet its regulatory obligations in the event of an unforeseen cyber-attack.

2.6.15. Ensure that the cybersecurity program includes written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the OFI, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the OFI within the context of the OFI's technology environment.

2.7 The requirements of the Chief Information Security Officer (CISO) are detailed below: 2.7.1. The CISO shall be of senior management grade and shall possess adequate authority; experience; independence and status within the OFI to enable him/her function properly.

2.7.2. The CISO shall report to the Managing Director/Chief Executive Officer.

2.7.3. The CISO shall meet educational and experience requirements as provided in the Fit and Proper (Approved Persons) Framework required for OFIs. Given the requirements of this job role, experience gained solely in the field of IT shall be deemed to be adequate.

2.7.4. In addition, the possession of relevant Information Security Certifications shall be an added advantage. These include certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Chief Information Security Officer (CCISO). Consequently, the CISO shall acquire any of these certifications within three (3) years from the date of his/her appointment.

2.7.5. For small OFIs such as rural-based Unit Tier II MFBs, the Head of IT may double as the CISO. Alternatively, such OFIs may engage the services of a qualified third-party consultant to serve as the CISO on a part-time basis.

2.8 The Information Security Steering Committee (Issc):

2.8.1. Every OFI with more than 30 employees shall establish an Information Security Steering Committee (ISSC). However, for Unit Tier II MFBs, the Information Technology Steering Committee (ITSC) can perform the function of Information Security Steering Committee.

2.8.2. The ISSC shall consist of Senior representatives of relevant departments within the OFI and shall be headed by the CISO.

2.8.3. The roles, responsibilities, scope and activities of the information security steering committee shall be clearly defined.

The objectives of the Committee shall include: 2.8.4.1. Ensuring that OFIs' security policies and processes align with the business objectives; 2.8.4.2. Evaluating and sponsoring institution-wide security investment; 2.8.4.3. Enforcing the implementation of policies for investment prioritization and security risk management.

2.8.4. For OFIs with less than 30 employees 2.8.4.1. The responsibilities of the information security steering committee may be carried out by a relevant management committee, such as committee charged with Risk Management; 2.8.4.2. The CISO shall be made a member of the relevant management committee; 2.8.4.3. The relevant management committee shall expand its terms or reference to include the objectives set out in paragraphs 2.8.3.1, 2.8.3.2 and 2.8.3.3 above; 2.8.4.4. The CISO shall lead the deliberation on cybersecurity matters at the relevant management committee meetings.

10

2.9 Risk Management Control Functions

To ensure the effectiveness of an OFI's cybersecurity governance, the following risk management control functions; handled by relevant department of the organization shall have responsibilities as follows:

2.9.1. Risk Management

The Risk Management function shall independently evaluate all the risks relating to cybersecurity in a proactive way. This should include the use of appropriate tools and methodologies for risk identification, analysis and control. Appropriate reports shall be provided to Senior Management and the Board or its relevant Committee, quarterly.

2.9.2. Compliance

The Compliance function shall review the cybersecurity programmes and processes to ensure adherence to relevant CBN directives and other extant regulations.

2.9.3. Internal Audit

An OFI's cybersecurity programme shall be audited by the Internal Audit unit to mitigate the OFI's cyber-risk exposure and ascertain their adequacy. The scope of cybersecurity audits clearly defined an audit programme which shall be risk-based and provide assurance to the Board and Senior Management on the effectiveness of the cybersecurity programme.

2.10 Cybersecurity Strategy And Framework

2.10.1. The Board of Directors shall approve the OFI's information security and cybersecurity strategy, which shall provide direction on how to achieve its cybersecurity goals. The strategy shall address and mitigate cyber-risk while providing a framework for compliance with the legal, contractual, statutory and regulatory requirements. The strategy shall align with the OFI's Information Security Management System (ISMS), information technology and the overall corporate strategy.

2.10.2. An OFI shall also put in place an information security and cybersecurity framework in support of its strategy which aligns policies, business and technological approaches to address cyber risks and clearly defines all cybersecurity roles and responsibilities.

2.10.3. In addition, an OFI shall develop an information security and cybersecurity policy either as a separate document or as part of its cybersecurity framework or its ISMS.

The policy shall clearly convey Management's intent and the OFI's approach to achieving its cybersecurity objectives.

2.10.4. The policy document(s) approved by the Board shall be continuously reviewed and updated annually at a minimum or when there are significant changes to the OFI's cyber-risk exposure and in the light of emerging technologies. The annual review shall ensure its suitability, adequacy and effectiveness to mitigate cyber-risk.

3. Cybersecurity Risk Management System

3.1 Effective Risk Management serves to reduce the incidence of significant adverse impact on an organization by addressing threats, mitigating exposure, and reducing vulnerability.

OFIs shall incorporate cyber-risk management with their institution-wide risk management framework and governance requirements to ensure consistent management of risk across the institution.

3.2 The Risk Management programme shall be based on an understanding of threats, vulnerabilities, risk profile and level of risk tolerance of the organisation. The process shall also be dynamic in view of the constantly changing risk landscape. The Board and Senior Management shall support and be involved in the cyber-risk management process by ensuring that resources and capabilities are available and roles of staff properly defined in management of risks.

3.3 The Risk Management System shall cover the four basic activities below: 3.3.1.

Risk assessment 3.3.2.

Risk measurement 3.3.3.

Risk mitigation/Risk treatment 3.3.4.

Risk monitoring and reporting 3.4 Cyber risk assessments should be updated regularly to address changes or introduction of new technologies, products etc. before deployment to ensure accurate risk measurement.

3.5 Risk treatment options such as risk reduction, risk retention, risk avoidance, risk transfer and how residual risk is addressed should be selected based on the outcome of the risk assessment.

3.6 Information obtained from risk management activities shall be reported to the Senior Management and the Board of Directors to support informed decision making.

3.7 An OFI shall regularly conduct risk assessments, vulnerability assessments and threat analysis to detect and evaluate risk to the OFI's information assets and determine the appropriateness of security controls in managing risk.

3.8 The IT team shall be responsible for assessment, measurement and monitoring/reporting of risks associated with critical IT infrastructure while information security/cybersecurity team shall be responsible for risk mitigation/treatment.

4. Cybersecurity Resilience Assessment

Cybersecurity Resilience Assessment is useful in evaluating an organization's defense posture and readiness to tackle cybersecurity risks. In view of rapid advancement in IT, interconnection between networks (internet) and multiple threats in the cyberspace, an OFI shall carry out cyber risk resilience assessment to determine its current and target cybersecurity profile.

4.1 Determining The Current Cybersecurity Profile ("Present State")

4.1.1. OFIs shall determine their "current" cybersecurity position at regular intervals by evaluating all identifiable cybersecurity vulnerabilities; threats and likelihood of successful exploit; potential impact (reputational, financial, regulatory, etc.); and the associated risks in order to estimate the amount of resources and efforts required to recover from losses/damage attributable to potential cyber incidents.

4.1.2.

The assessment should include but not limited to adequacy of cybersecurity governance; policies, procedures and standards; inherent risks in business operations; visibility to emerging threats to information assets; capability to swiftly respond and recover from cyber-incidents; vendor risk, and efficacy of existing controls to mitigate the identified risks.

All gaps identified during the assessment shall be documented and communicated to 4.1.3.

the Senior Management and Board of Directors.

4.2 Establishing A Target Cybersecurity Profile ("Desired State")

An OFI shall develop a detailed roadmap to address the gaps identified in a timely manner. This roadmap shall state the vulnerability/risk treatment plan with stipulated time frame. The plan may include updating the cybersecurity policy; establishing a security operation center; signing-up with external cyber threat intelligence agencies, etc.

4.3 Reporting Cybersecurity Self-Assessment

A report of the cybersecurity self-assessment shall be submitted by OFIs to the Director, Other Financial Institutions Supervision Department of the Central Bank of Nigeria not later than 31st March every year. The report shall provide the procedure/tools/framework used to conduct the cybersecurity self-assessment; identified gaps, threats, and risks; potential impact; prioritized action plan to mitigate risks identified; and timeline for remediation; remediation status with possible residual vulnerabilities/risks. The report shall be signed and submitted by the Chief Information Security Officer (CISO) after its approval by the Senior Management. See the reporting template in Appendix I.

5. Cybersecurity Operational Resilience

OFIs are required to build, enhance, and maintain their cybersecurity operational resilience which will ultimately contribute to reducing cybercrime in Nigeria and strengthen the banking sector cyber defense.

The following are the minimum controls that an OFI shall put in place on their critical IT infrastructure to preserve the Confidentiality, Integrity and Availability (CIA) of information assets among others.

5.1 Know Your Environment

An OFI shall endeavor to be acquainted with its business environment and critical assets. It shall devise mechanisms to maintain an up-to-date inventory of authorized software, hardware (workstation, servers, network devices etc.), other network devices, and internal and external network connections. All unauthorized software and hardware devices on its network shall be identified, documented, removed and reported appropriately.

5.2 Enhancing Cybersecurity Resilience

An OFI shall continuously improve on its cybersecurity resilience. This is crucial to ensure the confidentiality, integrity and availability of information assets whilst promoting a safe and sound banking system in Nigeria.

To enhance its cybersecurity resilience, an OFI shall adopt the measures in this section as the minimum cybersecurity baseline controls required to continue to support and provide business services even in the event of cyber -attacks.

6. Cyber-Threat Intelligence

An OFI is required to possess an objective knowledge - based on fact - of all emerging threats, cyber-attacks, attack vector, mechanisms and indicators of attack/compromise to its information assets which shall be used to make informed decisions.

To This End, Ofis Are Required To:

6.1 Establish a Cyber-Threat Intelligence (CTI) programme which shall proactively identify, detect and mitigate potential cyber-threats and risks.

6.2 Establish a CTI policy (as part of the cybersecurity policy) approved by the Board of Directors to aid proactive identification of emerging cyber threats, trends, patterns, risks and possible impact.

6.3 Identify and document various CTI Sources. See Appendix V for details.

6.4 Take informed decisions based on the CTI programme as it provides valuable information on areas susceptible to cyber-attacks, latest threats, attack vector, etc. Decisions may include: conducting emergency awareness training, vulnerability assessment, and penetration testing; review of vendor source codes, cyber-incident response plan, Business Continuity/Disaster Recovery Plans (BCP/DRP), vendor Service Level Agreement (SLA); and increased system logging, reviewing the Bring Your Own Device (BYOD) policy, etc.

6.5 Promptly report all potential cyber-threats to their information assets to the Director, Other Financial Institutions Supervision Department of the Central Bank of Nigeria using the Cyberthreat Intelligence Reporting template in Appendix I.

7. Metrics, Monitoring & Reporting

7.1 An OFI shall put in place metrics and monitoring processes to ensure compliance, provide feedback on the effectiveness of controls and provide the basis for appropriate management decisions.

7.2 The metrics should provide the information needed to assess the effectiveness of the OFI's overall cybersecurity programme and measure its performance and efficiency as well as for effective decisions at the strategic, management and operational levels. Tools that may be employed to achieve this include key risk indicators, key goal indicators, etc.

7.3 The Board and Senior Management of an OFI shall establish an effective and reliable reporting and communication channels throughout the institution for the dissemination of securityrelated information such as changes in policies, standards, procedures, new or emerging threats and vulnerabilities to ensure the effectiveness and efficiency of the cybersecurity programme. The reporting process shall be consistent, timely, comprehensive, transparent and reliable.

7.4 A reporting process that defines reporting and communication channels shall be established for the dissemination of security-related material such as changes in policies, standards, procedures, new or emerging threats and vulnerabilities.

7.5 The Board of Directors and Senior Management shall be provided with quarterly reports to keep them abreast of the state of the cyber/information security programme and governance issues in the OFI.

7.6 An OFI is required to report all cyber-incidents (as defined in Appendix IV) whether successful or unsuccessful not later than 24 hours after such incident is detected to the Director, Other Financial Institutions Supervision Department of the Central Bank of Nigeria using the report format in Appendix I.

8. Compliance With Statutory And Regulatory Requirements

8.1 The Board and Senior Management of OFIs shall ensure compliance with all relevant statutes and regulations such as the Nigerian Cybercrimes (Prohibition, Prevention etc.) Act, 2015 and all CBN directives to avoid breaches of legal, statutory and regulatory obligations related to cybersecurity and of any security requirements.

8.2 The Central Bank of Nigeria shall ensure the establishment of appropriate processes and procedures for the purpose of monitoring compliance with this framework and other extant laws and regulations.

8.3 Non-compliance with the provisions of this framework shall attract appropriate sanctions as may be determined by the Central Bank of Nigeria in accordance with the provisions of the CBN Act and BOFIA.

9. Compliance Monitoring And Enforcement

The CBN shall monitor and enforce compliance with the provisions of the Guidelines.

10. Effective Date

This Guideline shall take effect from January 1, 2023

Appendix I: Cybersecurity Self-Assessment Tools

l . The FFIEC Cybersecurity Assessment Tool https://www.ffiec.gov/cyberassessmenttool.htm 2. US-CERT Cyber Resilience Review (CRR) https://www.us-cert.gov/ccubedvp/assessments 3. ICS-CERT"s Cybersecurity Evaluation Tool (CSET) https://ics-cert.uscert.gov/sites/default/files/FactSheets/ICS-CERT FactSheet CSET S508C.pdf 4. Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire https://www.pcisecuritystandards.org/ 5. ISO 27001 https://www.iso.org 6. The CBN circulars relating to cybersecurity https://www.cbn.gov.ng/documents/ 7. Nigerian Cybercrimes (Prohibition, Prevention etc.) Act, 2015

Appendix Ii: Know Your Environment:

1. Asset Management Hardware: An OFI shall: 1.1 Maintain an up-to-date inventory of all authorized devices such as workstations, laptops, switches, routers, firewall, printers, scanner, photocopiers, etc. used to process, store or transmit data/information in the institution.

1.2 Ensure that all identified devices are categorized not only by the criticality and sensitivity of the data/information they store, process or transmit but also on their mobility.

1.3 Assess and review the profile(s) of personnel(s) and/or third parties who have unrestricted/restricted access to devices identified in "1.1" above.

1.4 Automate the detection of unauthorized devices as they connect to the OFIS"s network and ensure that only authorized devices are granted access to the network. 1.5 Ensure that all legacy systems but still-in-use (both critical and non-critical) shall be catalogued.

Vulnerabilities associated with them shall be promptly identified and compensating controls applied and must be considered for upgrade.

Software: An Ofi Shall:

1.6 Devise a mechanism to maintain an up-to-date inventory of all applications/software (authorized and unauthorized) installed and/or running on all its systems. Unauthorized software/applications identified shall be considered for removal.

1.7 Ensure that the installation of applications/software including patches and hotfixes to authorized workstations/laptops, servers (including those on the demilitarized zone or DMZ), and mobile devices are centrally coordinated and managed.

1.8 Ensure that all legacy but still-in-use software and applications are catalogued. Vulnerabilities associated with them shall be promptly identified and remediated with adequate controls and must be considered for upgrade.

1.9 Establish controls to prevent unauthorized modification or removal of its authorized software/applications while preventing the installation of unauthorized software/applications on its network.

Other Network Devices: An Ofis Shall:

1.10 Maintain an approved up-to-date network topology of their wired and wireless networks irrespective of their location; 1.11 Maintain a catalog of all dedicated/frequently-used network connection(s) to regulatory authorities, switches, vendors/contractors, and wholesale customers with details of the objectives of such connections; 1.12 Devise a mechanism to maintain an up-to-date inventory of all other authorized network devices

• ATMs, IP Phones and surveillance camera etc. - connected to its network. Unauthorized other devices shall not be granted access to the network; and 1.13 Ensure that risks associated with these devices are regularly assessed, documented and mitigated promptly.

2. Staff/Employee:

The Management of an OFI shall: 2.1 Identify all employees whose job description is to implement, enforce, and review its physical and technical security controls; this includes but not limited to IT system, IT security administrators, security guards, etc.

2.2 Conduct background check on employees who implement policies, procedures used to protect sensitive information, and plausibly know ways of circumventing those control e.g. IT system administrators and security guards.

2.3 Ensure that risks associated with this category of employee are regularly assessed as part of the enterprise risk assessment framework. Background check shall be periodically conducted to gather reliable information about such employees.

2.4 Ensure that rotation of job duties and responsibilities; and mandatory vacation/leave are employed to thwart opportunities for collusion, fraudulent activities, and key-man risk.

2.5 Ensure that access rights assigned to all users is based on the principles of separation of duties and least privilege.

3. Vendor/Contractors/Third-Parties: An Ofi Shall:

3.1 Maintain an up-to-date inventory of services rendered by vendor/contractor/third-parties with valid Service Level Agreement (SLA).

3.2 Ensure that each SLA contains at minimum, details of service rendered, Non-Disclosure Agreement (NDA), Roles and Responsibilities of each party, Duration, Vendor Service Level Manager, Service Quality metric/evaluation criteria, and the Right to Audit clause.

3.3 Audit their vendors/contractors/third-parties in order to ensure/enforce compliance with the SLA; and promptly identify risky parties; if possible, visit their office/ IT processing facility.

3.4 Assess the qualification, skills and/or experience of vendor staff assigned to them by their vendors/contractors/third-parties.

4. External Connection: An Ofi Shall:

4.1 Identify and document all connections to third-parties - wholesale customers, vendors and switches that provide Value Added Service (VAS) -; the objective of each connection shall be documented and reviewed regularly.

4.2 Assess, document, and mitigate all risks associated with the identified external connections appropriately.

4.3 Where applicable, visit the data center and network infrastructure facilities of third-parties; access their approved cybersecurity policies and ensure it addresses all cybersecurity concerns.

4.4 Ensure that third-party accesses are restricted to only authorized segment of the network; only specific IP addresses from the third-party shall be allowed, and restrict connection(s) to a period of time (where applicable).

4.5 Always log, monitor, and review all third-party connections to their network.

5. Payment Service Providers: Where an OFI engage a Payment Service Providers (entity); thirdparty for the storage, transmission, processing and security of cardholder data, the OFI shall: 5.1 Identify, review and document the services provided by the entity.

5.2 Determine and document the scope of the entities involvement in storing, processing, or transmission of cardholder data and the effect on the security of the Cardholder Data Environment.

5.3 Identify and document the technology used by the entity for the services provided. 5.4 Identify and document whether an additional third-party is used by the entity to deliver the services rendered.

5.5 Identify the facilities of the entity where cardholder data/information is located.

5.6 Obtain the following documentation from the entity to validate PCI DSS compliance for the service rendered: Report on Compliance (ROC); Attestation of Compliance (AOC); Self- Assessment Questionnaire (SAQ); and ASV Scan Report Attestation of Scan Compliance (AOSC).

Appendix Iii: Enhancing Cybersecurity Resilience

This section provides the minimum controls required for an OFI to continue to support and provide business services even in the event of an unprecedented cyber -attacks. It provides controls on access right management, secure system configuration, cybersecurity awareness, data loss prevention, system life cycle management, vulnerability management, continuous security monitoring, and enhancing incident response capabilities.

1. Access Control:

An OFI shall establish an access control policy which ensures that: There exists mechanism, standards and procedures that govern users, systems and service a.

accounts access provisioning, identification, and authorization to all systems, network, and applications.

b. All workstations/laptops, end-users, service accounts, network devices (internal and external), and administrators have identities and credentials to access the bank's resources.

c. Access to its information assets (including customer information), resources and connected services/facilities at any time are limited to only authorize users, services, processes or devices (including wireless network) based on the principle of least privilege and guided by an access control matrix.

d. Authorizations given to users, service and system accounts are limited to the functions/ services they provide; where necessary implement logon time and days restriction.

e. Physical access to assets is controlled based on the criticality and sensitivity of the information processed, stored and transmitted by them.

The repositories of all users, administrator, and system identities and credentials are protected.

f.

2. Secure System Configuration Management: To enhance resilience through system configuration, an OFI shall: Acquire and deploy systems/applications with in-built resilience configuration.

a.

b. Develop minimum security baseline configuration such as anti-malware; data loss prevention solutions; and systems security settings for workstations/laptops, servers, applications/software including network devices governed by vendor recommendations, informative references in Appendix IV and the CBN guidelines.

c.

Devise mechanisms to logically apply and maintain their cybersecurity policies and security baseline configuration on systems, applications and network devices.

d.

Establish a Standard Operating Procedures (SOP) for all IT processes and activities.

e.

Audit the security configurations items on system and network devices to ensure compliance with preconfigured security settings.

f.

Devise a mechanism to monitor, detect, log and report all unauthorized system configuration changes; where possible, the mechanism shall re-apply the security configuration seamlessly.

3. Cybersecurity Awareness Training:

Educating employees, contractors and customers on cybersecurity is imperative for a secure cyberspace. To this end, an OFI shall: a. Develop cybersecurity awareness training contents, taking cognizance of the prevailing cyber threats, cyber risk, and various attack-vectors.

b. Ensure that the content of the cybersecurity awareness training include information contained in the OFIs' cyber security policy, roles and responsibilities of all parties, and emerging cyber -threats.

c. Mandate all Board members and employees to participate in a Cybersecurity Awareness Training programme at least once in a year, with proof of compliance across all strata to CBN examiners on request.

d. Ensure that third-party/vendor also undergo the bank's security awareness programme as well.

Communicate cybersecurity awareness to their customers in the language they understand; e.

possibly in local dialect at least monthly or when there is an identified cyber-threat or attack vector.

f.

Devise mechanisms to communicate cybersecurity awareness messages to all their customers in the language they understand irrespective of their location. To thwart phishing attack among others, the messages shall be communicated in English and local dialects at least monthly or when there is an identified cyber-threat/attack vector via SMS, emails, radio, newspapers etc.

4. Data Loss Prevention:

Protecting and controlling the accessibility and usage of sensitive and critical information within and outside the corporate network is a major goal of cybersecurity resilience. Hence, a. AN OFI shall develop a data loss/leakage prevention strategy to discover, monitor, and protect sensitive and confidential business and customer data/information at endpoints, storage, network, and other digital stores, whether online or offline.

b. The strategy should provide but not limited to a mechanism that: i.

classifies both structured and unstructured data/information; ii.

discovers where sensitive/confidential data/information are stored; iii.

monitors how sensitive/confidential data/information are being used; iv.

continuously protects data whether the endpoint is on/off the corporate network; v.

addresses notable data loss concerns through USB, e-mail, mobile phones and web; vi.

takes prompt actions when a potential data breach is suspected or detected: educate employees through a warning pop-up message, encryption, or prevent the action, and vii.

establishes to management a reduction in data loss risk in institution c.

Critical and sensitive information on assets shall be formally managed throughout removal, transfers, and disposition. All assets identified for disposal shall undergo degaussing, and/or total destruction; in accordance with its approved policy.

d. An OFI shall validate that similar control exist at vendor managed facilities such as co-location data centers, and cloud service providers.

5. System Life Cycle Management:

In managing the life cycle of systems, an OFI shall: a.

Establish policies and procedures that consistently oversee the lifecycle (identification, acquisition/development, maintenance/update, and disposal) of applications, components, and systems.

b. Ensure that cybersecurity controls are considered and incorporated in all stages of the system/application lifecycle. The business requirement for the acquisition/development of systems/applications shall also identify and document the security requirements. This includes but not limited to access control, access right management, authentication, event logging, audit trail, user session management, separation of duties, and least privilege etc.

c. Validate that the systems/applications meet all other requirements (functional, performance, reliability, etc.) and any applicable CBN regulations before they are deployed.

d. Ensure that all in-house applications are developed in-line with secure coding practices such as threat modeling, input validation, least privilege, fault deny, defense in-depth, and fail secure whilst mitigating against OWASP vulnerabilities. These applications shall also be thoroughly tested by a team of independent software testers and business/application owners.

e.

Separate the production/live environment from the development/testing environment(s).

f.

Establish a procedure for the maintenance of on-site and remote organizational assets to prevent unauthorized access.

g. Adopt cryptographic controls such as public key infrastructure, hashing and encryption to guard confidential and sensitive information against unauthorized access.

6. Vulnerability Management:

AN OFI shall promptly identify latent weaknesses in their IT infrastructure (assets), account profiles (system administrators and privileged users), and vendors.

A. Information Assets:

To promptly identify all system vulnerabilities and cybersecurity risks to operations and IT assets, an OFI shall: i.

ii.

Implement a vulnerability management strategy; approved by the Board of Directors.

Establish an automated mechanism to detect all vulnerabilities in its assets. This includes but not limited to workstations, network devices, servers (production, test and development), etc. The vulnerabilities and threats shall be documented; potential business impact and likelihood shall also be identified.

iii.

Conduct vulnerability assessment at least quarterly or when there is a significant change (such as installation of new systems, devices, applications etc.) to the bank's information processing infrastructure or when vulnerabilities are made known.

iv.

Further identify vulnerabilities in their assets by engaging professionals in this field to conduct Penetration Tests (PT). The PT shall be conducted frequently on internetfacing systems/applications.

v.

Continuously identify the inherent risks and vulnerabilities associated with IT platform/protocols used for business services e.g. USSD and SMS mobile Banking protocols vi.

Promptly categorize and resolve issues identified during vulnerability assessment based on their criticality, likelihood and impact. Subsequent validation to assess closure of such vulnerabilities shall also be done. The sources of the identified vulnerabilities such as a flaw in security policy, system misconfiguration, inconsistent Standard Operating Procedure (SOP), non-compliance to change management processes, and superficial risk assessment shall also be addressed to thwart future occurrence.

vii.

Have a dedicated team that incessantly monitors the release of security patches/updates by their vendors / OEMs. Security updates are mandatory, and shall be deployed quickly in accordance with OFIs' patch management policy. Patches for well-known or zero-day vulnerabilities shall also be applied swiftly in accordance with its emergency patch management process.

viii.

Establish an efficient mechanism and processes to identify assets patch compliance status - on operating system and application software on users' laptops and desktop, servers (including those on the DMZ), virtual machines, etc. - and remedy patch deficiencies.

B. System Administrators And Privileged Accounts:

To limit exposure to insider threat, an OFI shall: i.

Identify all employees and system/service accounts with super-privileges on each system, application, database, and device; and enforce segregation of duties and principle of least privilege for these accounts.

ii.

Where applicable, enforce password and account-management policies and practices to these accounts as-well. Use of shared default/anonymous privileged account by multiple users is highly prohibited.

iii.

Ensure that no single administrator have unfettered access to its critical systems.

Logon credentials to critical systems, applications, and network shall be created and separately documented by at least 2 different employees.

iv.

v.

Change the logon credentials of default system accounts on assets before they are connected to the network. This shall apply to test and development servers as well.

Establish a strategy, mechanism and an intelligent procedure to log, monitor, and audit actions performed by these accounts. All logs/audit trails shall be preserved and regularly reviewed in accordance with each institution's account management policy.

C. Vendors:

An OFI shall ensure that: i.

ii.

No vendor has unfettered access to its systems, database, network and applications (especially the core application). If a vendor needs to access its information asset, management approval shall be sought and such access shall be administered by an authorized administrator.

iii.

No vendor given logged-on to its information assets shall be left unattended to. Their actions shall be logged and closely monitored at all time. If possible, conduct a background check on all vendor staff before they are granted access.

7. Continuous Security Monitoring:

There shall be an ongoing awareness of information security vulnerabilities and threats to supports OFIs risk management decisions. To improve surveillance, it shall: a. Determine what needs to be monitored by: gathering information about all systems, databases, and network that support business activities; analyze reports about cyberincidents that have occurred in the past; evaluate the recommendations from both recent internal and third-party audits/ risk assessment of the network; and report of its cybersecurity self-evaluation.

b. Identify the key dependent variables - people, system, database, network and services - that the technical components of the continuous monitoring strategy will depend on.

c. Determine appropriate performance metrics for those variables; this includes but not limited to skills, system availability, event logging capability of systems to be monitored etc.

d. Establish how the log data collected from various sources will be stored and secured.

Categorize the identified systems and processes needed to be monitored according to their e.

criticality and sensitivity to its operations.

f.

Define a continuous security monitoring policy/strategy which shall be approved by the Board of Director; it shall include but not limited to the identified systems and processes, key dependent variables and their performance metrics, roles and responsibilities, duration to retain log data, events that would trigger these systems to send alerts, monitoring intervals/frequency, and how identified cyber-incidents / breaches will be contained, treated, documented, and reported.

g. Determine a baseline of operations and expected data flows for users, systems, and network of the identified systems. This includes but not limited to logon hours, network traffic threshold, level of processor utilization, etc.

h.

Implement across all-delivery channels a risk-based transaction monitoring mechanism which shall securely notify customers of all payment or fund transfer transactions above a specified value defined by customers.

i.

Establish a non-intrusive real-time monitoring mechanism to collect, correlate, and detect anomalous user, administrator, system, and process/service activities on system, database, and network in a timely manner while verifying the effectiveness of protective measures in place.

j.

Ensure that the mechanism provides Value Added Services (VAS) such as separating real events from nonimpact events (false positive), locating and containing events, sending alerts to appropriate staff for investigation, remediation, reporting, keeping historical data for the purpose of forensics, and managing operational risks.

k. Monitor the physical environment of assets - server room, network devices, data center, disaster recovery site, and off-site storage location -to detect potential threats in a timely manner.

l.

Establish an effective and efficient non-intrusive mechanism to detect and perform remediation actions on malicious codes and unauthorized mobile codes on all systems (including those on the DMZ). For signature-based solutions, frequency of update shall be at least daily.

m. OFIs that intends to or have cloud service providers shall be guided by the continuous security monitoring recommendation of Cloud Security Alliance (CSA).

8. Incident Response (Ir) And Disaster Recovery (Dr):

Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident) with an objective of reducing damage, recovery time and incident costs while Disaster Recovery is the practice of anticipating, planning for, surviving, and allows for immediate response that would reduce damage and resume core business functions as quickly as possible . For an effective and efficient incident response, an OFI shall: a.

Review its Disaster Recovery and Business Continuity plan documents (DR/BCP) with the business (stakeholders) to ensure they are adequate and effective to support cybersecurity resilience.

b. Create a DR/BCP test calendar to ascertain the effectiveness and efficiency of the Disaster Recovery and Business Continuity plans.

c. Test the DR/BCP. Lessons learned shall be incorporated into the DR/BCP documents as an improvement.

d. Develop an IR policy with stakeholders. The IR policy shall stipulate: i.

the creation of a cyber-incident response plan; approved by the Board of Directors; ii.

Senior Management and Business Process Owners definition of an Acceptable Interruption Window (AIW) for all categories of cyber-incidents; and performance metric at each stage of the IR process; iii.

the establishment of a dedicated team whose focus shall be on detecting and responding to cyber-incident; iv.

adequate and continuous training of the IR team on how to respond, report cyberincidents, and conduct trend analysis to thwart future occurrence; v.

conducting cybersecurity drills based on the approved cyber-incident response plan and test schedule to ascertain its viability, effectiveness and efficiency; vi.

the adoption of automated detection tool such as network and system (endpoint) scanners; and alerts from Log Management solutions, Firewall, Intrusion 30 Detection/Intrusion Prevention systems (ID/IPS) etc. for effective early detection of cyber-incidents; vii.

viii.

appropriate chain of custody when collecting, analyzing and reporting cyberincident in a manner that is legally admissible; and how crisis information shall be communicated and shared with stakeholders including the CBN and the public.

9. Payment Service Provider Security Assurance Programme:

To ensure that systems and data entrusted by an OFI to PSPs (entity) are maintained in a secure and compliant manner, the institution shall establish an assurance programme which shall include but not limited to: u Launching a due diligence programme on proposed or existing PSP companies thorough vetting prior to establishing a relationship and after engagement to ensure that the entity holds skills and experience appropriate for the service provided.

Establishing written agreements and policies between it and the entity for consistency .

and mutual understanding of service provided on their respective responsibilities and obligations.

Continuous monitoring of the PSP"s PCI DSS compliance status to provide an ■ assurance of the PSP"s compliance with the applicable requirements for the services provided.

.

Obtaining and reviewing the appropriateness of the entity's incident response, business continuity plan, and cyber-insurance coverage.

B Reviewing PSP compliance with your third-party security policies

	Information Security	https://www.iso.org/isoiec-27001-information-
	Management Systems	security.html
ISO	Cybersecurity guideline	https://www.iso.org/standard/44375.html
	Special Publications	https://www.nist.gov/publications/
NIST	Resource Center	https://beta.csrc.nist.gov/
PCI Security	Document Library	https://www.pcisecuritystandards.org/document_library
Standard Council	COBIT 5 for
COBIT 5		https://isaca.org/
	Information Security

Appendix Iv: Informative References Appendix V: Cyber-Threat Intelligent Sources Internal Threat Intelligence (Ti) Sources

Internal intelligent data sources are those security events generated by the IT infrastructures of OFIs.

This includes systems and security logs, database activity logs, malware detection report, analysis of network traffic, etc.

1. An OFIs shall have an approved Security Operations Center ("SOC") strategy document approved by the Board of Directors (with clear mission, vision and objective) to support its overall business objectives, minimize cybersecurity risk, while meeting regulatory requirements.

2. The strategy shall explicitly state the model of SOC to be adopted (On-premise, In-house, Outsourced or Hybrid). The SOC shall have its own budget approved; by the Board.

3. An OFIs' approved organizational chart shall also depict the SOC structure and its team. 4. There shall be a dedicated and secure physical space for the SOC to engender teamwork, brainstorming, knowledge-sharing among members and quick response time.

4. Its ambience shall also be protected with both technical and physical controls and equipped with a TV to keep the SOC staff abreast of imminent cyber events which may affect the OFIS information assets.

5. The SOC shall not just house sophisticated tools but equipped with a Security Information and Event Management (SIEM) solution that aggregates data from various security feeds to provide real-time analysis of security alert. Where applicable, the SOC shall be able to perform prompt remediation service.

6. For intuitive correlations and prompt visibility of the bank" security posture, feeds to the SIEM shall also include logs from network devices, vulnerability assessment systems; application and database scanners; penetration testing tools; IDS/IPS; and enterprise antivirus system.

7. It shall be up and manned continuously (24x7), managed and administered by skilled IT professionals with technical knowledge, experiences and suitable credentials in areas such as operating systems, networking, cryptography, database administrator, digital forensic, etc. For effective monitoring, shifts work schedule shall be adopted. At least two (2) members of the team shall manage the SOC at all time; responsibilities should be clearly defined.

8. The SOC team shall have adequate knowledge of the business, its environment and infrastructure in order to prioritize the most appropriate response when cyber-incidents occur.

9. The SOC shall have well documented processes to .

triage various types of cyber-incidents with appropriate response approved by the business process owners for operational consistency u identify, analyze and report emerging threats a gather and preserve evidence for Forensic Investigation 11. There shall be a capacity planning tool/process that communicates SOC infrastructure (SIEM) storage to enable the SOC team balance task workload with available resources.

12. At a minimum, the team shall comprise of a SOC Manager, Analysts, Intelligence Architects and Forensic Analysts.

13. Risk and vulnerability assessment vulnerability assessment shall be conducted on the SOC infrastructure. The SOC infrastructure and processes shall be continually audited.

14. It shall have a forensic laboratory equipped with specialized forensic tools to support incident response investigation efforts.

15. The SOC shall be able to provide input to the institution's Cybersecurity Awareness Training program based on the identified security incidents.

16. The SOC shall periodically provide cyber-incident reports to Board and Senior management.

17. Although internal TI sources provide information that is peculiar to an OFI's environment, each institution is advised to subscribe to external TI sources for threats notification and possible mitigants.

External Ti Sources:

These are sources external to an OFI environment. They combine various sources of TI into a single source which is easy to understand.

1. An OFI shall subscribe to external TI providers such as data feeds from IT vendors; intelligence sharing group such as the ngCERT, FS-ISAC, ICS-CERT; other OFIs; and relevant agencies to keep them informed of emerging cyber-threats and vulnerabilities.

2. Caution shall be exercised on open-source cyber-threat intelligence feeds due to high rate of false positive and/or false negative alerts.

Appendix Vi: Reporting Templates

1. Cybersecurity Self-Assessment Available at: https://www.cbn.gov.ng/documents/
2. Cyber-Threat Reporting Available at: https://www.cbn.gov.ng/documents/
3. Cyber-Incidents Reporting Available at: https://www.cbn.gov.ng/documents/

Acronyms

AIW	Acceptable Interruption Wind
APT	Advanced Persistent Threat
ATM	Automated Teller Machine
AOC	Attestation of Compliance
AOSC	ASV Scan Report Attestation of Scan Compliance
BCP/DR	Business Continuity/ Disaster Recovery Plan
BYOD	Bring Your Own Device
CSA	Cloud Security Alliance
COBIT	Control Objectives for Information and related Technology
OFI	Other Financial Institution
DMZ	Demilitarized Zone
FFIEC	Federal Financial Institutions Examination Council
FS-ISAC	Financial Services Information Sharing and Analysis Center
ICS-CERT	Industrial Control Systems Cyber Emergency Response Team
IDS	Intrusion Detection System
IP Phones	Internet Protocol Phones
IPS	Intrusion Prevention System
ISO	International Organization for Standardization
LAN	Local Area Network
NIST	National Institute of Standards and Technology
NgCERT	Nigeria Computer Emergency Response Team
OEMs	Original Equipment Manufacturer
OWASP	Open Web Application Security Project
PCI DSS	Payment Card Industry Data Security Standard
POS	Point of Sale
PSP	Payment Service Provider
ROC	Report on Compliance
SAQ	Self-Assessment Questionnaire
SMS	Short Message Service
TV	Television Set
ussD	Unstructured Supplementary Service Data

Glossary

	This is a process in which a user provides two different
2-Factor Authentication	authentication factors to verify his identity.
	Access Control Matrix is a security model in computing
Access Control Matrix	that defines the access rights or authorization of each
	subject with respect to objects in the system.
	This is the maximum allowable time of interrupting
Acceptable	Interruption	mission critical systems or applications before
Window	restoration.
	APT	is a targeted network attack in which	an
Advanced	Persistent	unauthorized malicious entity gains access to a network
Threat	and remains undetected for a long period of time.
	This is a device that prevents fraudulent capture of
Anti-Skimming Device	personal data from the magnetic stripes cards when they
	are used on devices such as an ATM.
	This is an intelligent electronic banking channel, which
Automated Teller Machine	allows banks" customers have access to basic banking
	services without the aid of any bank representative.
Business	Continuity/	These are planned processes that help OFIS prepare for
Disaster Recovery Plan	disruptive events and recover within a short period
	BYOD is a privilege given to employees to use their
Bring Your Own Device	personally owned devices (laptops, smart phones etc.) to
	access information and resources of their work place.
	A non-profit organization with a mission to "promote
	the use of best practices for providing security assurance
Cloud Security Alliance	within Cloud Computing, and to provide education on
	the uses of Cloud Computing to help secure all other
	forms of computing"
	This	is	an	imaginary environment	where
Cyberspace	communication over computer networks occurs
	A demilitarized zone or DMZ in computing is a physical
Demilitarized Zone	or logical sub-network that separates the trusted
	(internal local area network) from other untrusted

	networks (Internet). It houses external-facing servers,
	resources and services meant to be accessed from the
	internet.
	A false positive is a false alarm generated by a device,
False Positive	process or entity; usually based on preconfigured rules
	or logic.
	False negative occurs when a security device omits a
False Negative	vulnerability
	This is a network security system or software that has
Firewall	the capability to monitor and control incoming and
	outgoing network traffic based on preconfigured rules.
	This is a global financial industry's information sharing
Financial	Services	organization that provides timely authoritative
Information Sharing and	information on physical and cyber security threats to
Analysis Center	help protect the critical systems and assets of its
	members.
	A device or software/application that monitors a OFIS''s
Intrusion Detection System	network or systems for policy violations and/or
	malicious activities.
	A phone built on Voice over IP technologies (VoIP) for
Internet Protocol Phone	transmitting telephone calls over an IP network, such as
	the Internet.
	This is a network threat prevention technology that
Intrusion	Prevention	examines network traffic to identify possible threats
System	while preventing potential exploits of system
	vulnerabilities.
	ISO is a non-governmental organization with a mission
	to "promote the development of standardization and
International Organization	related activities in the world with a view to facilitating
for Standardization	the international exchange of goods and services, and
	developing cooperation in the spheres of intellectual,
	scientific, technological and economic activity."
	A computer networking technology that links devices
Local Area Network	within a specific range.
	38

	This is an automatic way of dealing with large volumes
	of system generated logs. It usually comprises of Log
Log Management	collection, correlation, analysis, search, reporting and
	retention
	Any code or script developed with an intention to cause
Malicious code	undesired effects, security breaches or damage to a
	system.
	Any malicious programme, application, or	script
Mobile code	capable of moving when implanted in an email,
	document or website.
	Any entity that is contracted for its services by another
Nested Payment Service	payment service provider for the purposes of providing
Provider	a service.
	A legal contract or agreement between two or more
Non-Disclosure
Agreement	parties that outlines a degree of confidentiality.
	A team of experts in the Office of the Nigerian National
Nigeria	Computer	Security Adviser with a mission to "manage the risks of
Emergency	Response	cyber threats in the Nigeria's cyberspace and effectively
Team	coordinate incident response and mitigation strategies to
	proactively prevent cyber-attacks against Nigeria".
Nigeria Cybercrime Act,	This is the first cybercrime bill enacted by the National
2015	Assembly of the Federal Republic of Nigeria in 2015
	A platform, blog, database that collects, stores and share
Open-source	cyberthreat	information on emerging cyber threats, indicators and
intelligence	trends to its subscribers
	This is a non-profit organization that provides journals,
	methodologies, documentation, and development of
Open	Web	Application
Security Project	best practices, in the field of web application security at
	no cost.
Payment	Card	Industry	This is an information security standard for OFIs that
Data Security Standard	collect, process, store and transmit cardholder data.
	These are third-party service providers who use their
Payment Service Providers	infrastructure to store, process, or transmit OFI's
	customer information including cardholders" data.
	39

	This is a device that accepts payment cards for
Point of Sale terminal	electronic funds transfers.
	Any user who by virtue of function has super system-
Privileged user	rights in any computer, application, database, device,
	etc.
	These are software designed to improve the features,
Patches	security, etc. of of a system, device,	and
	application/software.
	This is a contract between a service provider and a
Service Level Agreement	subscriber; who defines the level of service expected
	from such service provider.
	This is a step-by-step instruction on carrying out routine
Standard	Operating	operations/tasks. Its purpose it to achieve uniformity of
Procedure	performance, efficiency and quality output at all time.
	Anything that has the potential to cause damage or loss
Threat	to an information asset.
Unstructured	This is a communication technology used to send
Supplementary	Service	message between a mobile phone and an application on
Data	a network.
	A term used to describe non-core services of a service
Value Added Service	provider but offered to its customers.
Vendors	Provider of goods or services to OFI
	This is a weakness or gap in a system, application,
Vulnerability	process, device, etc.
	Cyber Risk is any risk to the Confidentiality, Integrity
	and	Availability of of an oorganization's critical
	information assets arising from a failure of the
	organization's information technology systems
Cyber Risk	resulting to financial loss, disruption of services, and
	interference with business as usual or damage to the
	reputation of the organization.

Cybersecurity is therefore an activity or process, ability
or capability, or state whereby information and
communications systems and the information contained
Cybersecurity	therein are protected from and/or defended against
damage, unauthorized use or modification, or
exploitation.