Regulatory Alerts2017-08-18
Guidance Note on CyberSecurity
Here's the requested information for Kenya: **High-Level Contents of a Cybersecurity Policy in Kenya:** In Kenya, the Central Bank of Kenya (CBK) has issued guidelines and regulations concerning Information and Communication Technology (ICT) governance that include cybersecurity requirements. The following points highlight high-level contents of a Cybersecurity Policy in accordance with these CBK guidelines: **1. Governance:** - Clearly define the roles, responsibilities, and authorities of board members, senior management, employees, and third parties in managing cyber risks. - Develop an ICT governance framework that includes policies, procedures, standards, and controls for information security and data protection. - Establish a dedicated cybersecurity team responsible for implementing, monitoring, and maintaining the institution's cybersecurity posture. **2. Identification:** - Conduct a thorough assessment of the financial institution's critical business functions and supporting information assets to determine their level of importance. - Develop a comprehensive inventory of all IT systems, applications, and data resources used by the organization. **3. Protection:** - Establish a robust set of security controls that protect the confidentiality, integrity, and availability of its assets and services. This includes implementing firewalls, intrusion detection and prevention systems, endpoint security solutions, and other relevant technologies. - Develop and maintain strong access control measures to ensure that only authorized personnel have access to sensitive information and systems. - Implement secure development practices for all in-house developed applications and conduct regular security assessments of third-party software used by the institution. **4. Detection:** - Establish a comprehensive monitoring system to detect anomalies and events indicating a potential cyber incident. This includes implementing security information and event management (SIEM) solutions, log management systems, and other relevant tools. - Develop procedures for responding to security alerts and notifying the appropriate personnel when a potential incident is detected. - Establish a process for regularly reviewing and updating the organization's threat intelligence capabilities. **5. Resumption:** - Develop and maintain business continuity and disaster recovery plans that outline the steps to be taken in case of a cyber incident. This includes identifying critical systems, data, and processes; establishing recovery time objectives (RTO) and recovery point objectives (RPO); and testing the plans regularly. - Establish procedures for restoring normal operations after a cyber incident and ensuring that all affected systems and data are secure. - Develop a communication plan to inform customers, employees, regulators, and other stakeholders about the incident and its impact on the organization's operations. **6. Testing:** - Establish a comprehensive testing program that includes penetration testing, vulnerability assessments, and red team/blue team exercises. This will help identify weaknesses in the institution's cybersecurity posture and provide recommendations for improvement. - Regularly test the organization's incident response plan to ensure that it is effective and up-to-date. - Establish a process for regularly reviewing and updating the organization's security controls based on the results of testing and other relevant information. **7. Situational Awareness:** - Develop procedures for monitoring the organization's cybersecurity posture and identifying emerging threats and vulnerabilities. This includes staying informed about industry best practices, regulatory requirements, and threat intelligence from trusted sources. - Establish a process for regularly reviewing and updating the organization's security controls based on changes in the threat landscape. - Develop a process for regularly assessing the effectiveness of the institution's cybersecurity program and identifying areas for improvement. **8. Learning and Evolving:** - Establish a culture of cyber risk awareness throughout the organization by providing regular training and education programs for employees at all levels. - Regularly review and update the organization's security controls based on changes in technology, business requirements, and industry best practices. - Develop procedures for regularly assessing the effectiveness of the institution's cybersecurity program and identifying areas for improvement. **9. Collaboration:** - Establish relationships with other financial institutions, government agencies, and industry partners to share information about emerging threats and best practices for managing cyber risks. - Participate in industry associations and working groups to stay informed about industry trends and developments in cybersecurity technology and regulation. - Develop procedures for reporting cyber incidents to the appropriate authorities, including law enforcement and regulatory bodies. **10. Reporting:** - Establish a process for regularly reviewing and updating the organization's security controls based on changes in the threat landscape. - Develop a comprehensive reporting framework that includes regular reports to senior management, the board of directors, and relevant stakeholders about the institution's cybersecurity posture and performance. - Maintain a comprehensive archive of all cyber incident reports and other relevant documentation for future reference and analysis.