Amendment to Directions on Integrated Risk Management Framework for Licensed Banks

Directions issued by the Monetary Board of the Central Bank of Sri Lanka under Sections 46(1) and 76(J)(1) of the Banking Act, No. 30 of 1988, as amended.

[Signature]

B D W A Silva Senior Deputy Governor Central Bank of Sri Lanka

Colombo 26 June 2014

BANKING ACT DIRECTIONS NO. 4 OF 2014 AMENDMENT TO DIRECTIONS ON INTEGRATED RISK MANAGEMENT FRAMEWORK FOR LICENSED BANKS

In the exercise of the powers conferred by Sections 46(1) and 76(J)(1) of the Banking Act, No. 30 of 1988, last amended by the Banking Act, No. 46 of 2006, the Monetary Board hereby issues the following amendment to the Guidelines annexed to the Banking Act Direction No. 7 of 2011 dated 05 October 2011 on Integrated Risk Management Framework for Licensed Banks to implement the Baseline Security Standard for Information Security Management.

1. The following paragraph shall be inserted immediately after paragraph 2.8 of Part D of the Guidelines annexed to the Banking Act Directions No. 7 of 2011 dated 05 October 2011 on Integrated Risk Management Framework for Licensed Banks.

“2.9 Information Security Management -

(a) With effect from 01 July 2015, all banks should implement the Baseline Security Standard for Information Security Management as per Attachment 4 hereto.

---

(b) The Baseline Security Standard establishes minimum acceptable security standards for banks and standardizes the information security policies of such banks. However, each bank should ensure adoption of such standards relative to the size, nature of business activities and complexity of respective bank.

(c) The BOD should ensure compliance with the Baseline Security Standard for Information Security Management.”

2