Security Domins
4.1.2 Data Governance and Security
Purpose: To ensure that data is secured and kept confidential, available and integral.
Main Controls:
1 Develop and design Data Governance Program.
2 Identify data fields.
Data Owners Business procedures
Data managers Data lists
Data Custodians Report lists
Data users Systems and applications
Data Dictionaries Policies and standards
3 Identify sensitive data elements within data fields.
4 Determine classification and mechanism of data encoding according to level of impor-
tance.
5 Identify privacy of data and information.
6 Create centralized platform for managing and controlling changes and providing
access to sensitive data assets.
7 Specify mechanism to measure level of data protection.
8 Identify and implement workflow plans of governance structure and key data
elements and fields.
9 Observe, monitor, and report workflow procedures.
4.1.3 Strategy and Policies
Purpose: Set out, document, implement, approve cybersecurity strategy and policies,
circulate to the related parties and ensure compliance therewith.
Main Controls:
1 Set out, document, implement, approve and periodically update cybersecurity strategy.
2 The cybersecurity strategy shall be aligned with the overall objectives of market institu-
tion and any related regulatory requirements.
3 Cybersecurity strategy shall include the following :
1
Importance of cybersecurity for the market institution.
2
The expected cybersecurity state of market institution until it is able to counter cyberse-
curity threats.
3 Develop a time plan to implement cybersecurity initiatives, projects and strategies.
Classification: Public
11
� Security Domins
4 Set out, document, implement and approve cybersecurity strategy and policies, circulate
the same to related parties, and ensure compliance therewith.
5 Review cybersecurity policies periodically in accordance with pre-defined review plan.
6 Support cybersecurity policies with detailed security technical standards (e.g., passcode
and firewall standards) to be based on local and international best practices and stand-
ards.
7 Cybersecurity policies shall include the following:
1 Definition of Cybersecurity.
2
The scope and objectives of the capital market institution cybersecurity.
3 Support of senior management to cybersecurity program and objectives.
4 Identification of cybersecurity responsibilities and roles.
5
Indication of the reference of applicable cybersecurity standards.
6
Cybersecurity controls shall include the following:
1 Classifying information in a way that demonstrates its importance to a market institution.
2
Defining ownership of all information assets.
3 Evaluating cybersecurity risks of information assets.
4
Making staff aware of cybersecurity.
5 Complying with agreements as well as regulatory and contractual obligations.
6 Reporting cybersecurity violations and suspected security vulnerabilities
7 Appling cybersecurity requirements to Business Continuity Management.
4.1.4 Training and Awareness
Purpose: To introduce a cybersecurity program to train and educate capital market
institutions employees, customers and stakeholders, with the aim of protecting capital
market institution’s information and technical assets.
Main Controls:
1 Develop, approve, document, and implement a Cybersecurity Awareness Program to
promote Cybersecurity awareness.
2 The Cybersecurity Awareness Program aims to provide protection against the highest
cybersecurity threats and risks and to address different groups using multiple channels.
3 Cybersecurity Awareness Program shall be launched periodically.
Classification: Public
12
