Security-Readiness Checklist

CategoryRequirementRequiredRecommended

Data Ownership

  • Determine which data types are exposed by APIs and categorize accordingly.

  • Ensure non-essential consumer profile data is not released.

  • Ensure contracts restrict the usage of consumer data to agreed scenarios.

  • Confirm TPP access is restricted to functions in their permissions matrix

  • Design groupings for object permissions (if required) e.g. Lender's Profile may contain permissions for statements and balances only, Trader's profile may include payments and balances, but restrict statements.

  • Ensure compliance with NDPR, 2019

AP, TPP

Consent Framework

  • Create the consent management data structure including Authentication, Authorizations and audit trail structures.

  • Ensure consumer data access is based on authorized features as well as TPP permissions

  • Design and Implement strong authentication channels according to desired flows and risk polices. At least one channel should be implemented.

  • Implement user-channel options for controlling TPP access.

  • Implement transcript reporting

AP, TPP

General Requirements

  • Obtain ISO 9001 and 27001 certifications or equivalent accreditations.

AP

TPP

Transport Security

  • Implement OBN general data security requirements including network DMZ, SSL certificates and secure file share channels.

AP, TPP

Endpoint Security

  • Enforced on API

AP, TPP

Data Storage

  • Create OLTP and OLAP processing systems with synchronization process and redundancies

  • Audit database structures to ensure compliance with ownership framework

  • Ensure non-essential and verbose information are limited especially in OLTP systems to reduce processing overhead.

  • Configure retention policies for transactional, consent, audit and configuration records in line with indicated standards.

AP, TPP

Data Security

  • Comply with the data security guidelines enumerated above.

AP, TPP

Last updated