Security-Readiness Checklist
Last updated
Last updated
| Category | Requirement | Required | Recommended |
|---|---|---|---|
Data Ownership
Determine which data types are exposed by APIs and categorize accordingly.
Ensure non-essential consumer profile data is not released.
Ensure contracts restrict the usage of consumer data to agreed scenarios.
Confirm TPP access is restricted to functions in their permissions matrix
Design groupings for object permissions (if required) e.g. Lender's Profile may contain permissions for statements and balances only, Trader's profile may include payments and balances, but restrict statements.
Ensure compliance with NDPR, 2019
AP, TPP
Consent Framework
Create the consent management data structure including Authentication, Authorizations and audit trail structures.
Ensure consumer data access is based on authorized features as well as TPP permissions
Design and Implement strong authentication channels according to desired flows and risk polices. At least one channel should be implemented.
Implement user-channel options for controlling TPP access.
Implement transcript reporting
AP, TPP
General Requirements
Obtain ISO 9001 and 27001 certifications or equivalent accreditations.
AP
TPP
Transport Security
Implement OBN general data security requirements including network DMZ, SSL certificates and secure file share channels.
AP, TPP
Endpoint Security
Enforced on API
AP, TPP
Data Storage
Create OLTP and OLAP processing systems with synchronization process and redundancies
Audit database structures to ensure compliance with ownership framework
Ensure non-essential and verbose information are limited especially in OLTP systems to reduce processing overhead.
Configure retention policies for transactional, consent, audit and configuration records in line with indicated standards.
AP, TPP
Data Security
Comply with the data security guidelines enumerated above.
AP, TPP