Links

Security-Readiness Checklist

Category
Requirement
Required
Recommended
Data Ownership
  • Determine which data types are exposed by APIs and categorize accordingly.
  • Ensure non-essential consumer profile data is not released.
  • Ensure contracts restrict the usage of consumer data to agreed scenarios.
  • Confirm TPP access is restricted to functions in their permissions matrix
  • Design groupings for object permissions (if required) e.g. Lender's Profile may contain permissions for statements and balances only, Trader's profile may include payments and balances, but restrict statements.
  • Ensure compliance with NDPR, 2019
AP, TPP
Consent Framework
  • Create the consent management data structure including Authentication, Authorizations and audit trail structures.
  • Ensure consumer data access is based on authorized features as well as TPP permissions
  • Design and Implement strong authentication channels according to desired flows and risk polices. At least one channel should be implemented.
  • Implement user-channel options for controlling TPP access.
  • Implement transcript reporting
AP, TPP
General Requirements
  • Obtain ISO 9001 and 27001 certifications or equivalent accreditations.
AP
TPP
Transport Security
  • Implement OBN general data security requirements including network DMZ, SSL certificates and secure file share channels.
AP, TPP
Endpoint Security
  • Enforced on API
AP, TPP
Data Storage
  • Create OLTP and OLAP processing systems with synchronization process and redundancies
  • Audit database structures to ensure compliance with ownership framework
  • Ensure non-essential and verbose information are limited especially in OLTP systems to reduce processing overhead.
  • Configure retention policies for transactional, consent, audit and configuration records in line with indicated standards.
AP, TPP
Data Security
  • Comply with the data security guidelines enumerated above.
AP, TPP