# Security-Readiness Checklist

| Category             | Requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Required | Recommended |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- |
| Data Ownership       | <ul><li>Determine which data types are exposed by APIs and categorize accordingly.</li><li>Ensure non-essential consumer profile data is not released.</li><li>Ensure contracts restrict the usage of consumer data to agreed scenarios.</li><li>Confirm TPP access is restricted to functions in their permissions matrix</li><li>Design groupings for object permissions (if required) e.g. Lender's Profile may contain permissions for statements and balances only, Trader's profile may include payments and balances, but restrict statements.</li><li>Ensure compliance with NDPR, 2019</li></ul> | AP, TPP  | <p><br></p> |
| Consent Framework    | <ul><li>Create the consent management data structure including Authentication, Authorizations and audit trail structures.</li><li>Ensure consumer data access is based on authorized features as well as TPP permissions</li><li>Design and Implement strong authentication channels according to desired flows and risk polices. At least one channel should be implemented.</li><li>Implement user-channel options for controlling TPP access.</li><li>Implement transcript reporting</li></ul>                                                                                                         | AP, TPP  | <p><br></p> |
| General Requirements | <ul><li>Obtain ISO 9001 and 27001 certifications or equivalent accreditations.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | AP       | TPP         |
| Transport Security   | <ul><li>Implement OBN general data security requirements including network DMZ, SSL certificates and secure file share channels.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                | AP, TPP  | <p><br></p> |
| Endpoint Security    | <ul><li>Enforced on API</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | AP, TPP  | <p><br></p> |
| Data Storage         | <ul><li>Create OLTP and OLAP processing systems with synchronization process and redundancies</li><li>Audit database structures to ensure compliance with ownership framework</li><li>Ensure non-essential and verbose information are limited especially in OLTP systems to reduce processing overhead.</li><li>Configure retention policies for transactional, consent, audit and configuration records in line with indicated standards.</li></ul>                                                                                                                                                     | AP, TPP  | <p><br></p> |
| Data Security        | <ul><li>Comply with the data security guidelines enumerated above.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | AP, TPP  | <p><br></p> |

\ <br>