Security-Readiness Checklist

Data Ownership

• Determine which data types are exposed by APIs and categorize accordingly.

• Ensure non-essential consumer profile data is not released.

• Ensure contracts restrict the usage of consumer data to agreed scenarios.

• Confirm TPP access is restricted to functions in their permissions matrix

• Design groupings for object permissions (if required) e.g. Lender's Profile may contain permissions for statements and balances only, Trader's profile may include payments and balances, but restrict statements.

• Ensure compliance with NDPR, 2019

AP, TPP

Consent Framework

• Create the consent management data structure including Authentication, Authorizations and audit trail structures.

• Ensure consumer data access is based on authorized features as well as TPP permissions

• Design and Implement strong authentication channels according to desired flows and risk polices. At least one channel should be implemented.

• Implement user-channel options for controlling TPP access.

• Implement transcript reporting

AP, TPP

General Requirements

• Obtain ISO 9001 and 27001 certifications or equivalent accreditations.

AP

TPP

Transport Security

• Implement OBN general data security requirements including network DMZ, SSL certificates and secure file share channels.

AP, TPP

Endpoint Security

• Enforced on API

AP, TPP

Data Storage

• Create OLTP and OLAP processing systems with synchronization process and redundancies

• Audit database structures to ensure compliance with ownership framework

• Ensure non-essential and verbose information are limited especially in OLTP systems to reduce processing overhead.

• Configure retention policies for transactional, consent, audit and configuration records in line with indicated standards.

AP, TPP

Data Security

• Comply with the data security guidelines enumerated above.

AP, TPP