Partner security control requirements

Legal hub 1

Physical security

Partner security control requirements (PCSRs) are the security controls we expect our Embedded Banking Partners to maintain, as a minimum, throughout their partnership with us.

Reference
Requirement
Description
Minimum frequency
Purpose

PH-001

Physical Risk Assessments

Partners will ensure that security risk assessments are undertaken to review physical security controls and processes at sites and premises undertaking activities supporting the partnership with ClearBank.

Assessments must be completed by suitably experienced or qualified individuals and must consider the design and operational effectiveness of physical security controls to mitigate the current threat profile of the facility and any emerging issues that may impact the site.

Annual

Security Risk Assessments provide an accurate snapshot of Partners' physical security environments, controls and processes - and their current operational effectiveness.

PH-002

Access control

Electronic, mechanical or digital physical access controls are to be deployed and managed in all Partner premises.

All security systems are to be installed, operated and maintained in accordance with applicable legal and regulatory requirements. Equipment selection must be proportionate to current physical security threats identified during the Security Risk Assessment conducted for each location

Continuous

Effective access control is part of a layered approach to protecting premises from unauthorised access and to ensure the security of business assets.

PH-003

Security personnel

Physical security personnel must be deployed where it is appropriate and proportionate in view of the Security Risk Assessment conducted for each facility, as per PH-001.

Continuous

Physical security personnel are part of the layered controls to protect premises and assets from unauthorised access.

PH-004

Data centres

All data centres and cloud provider facilities used or relied upon by Partners must be secured to prevent unauthorised access or damage to ClearBank data.

All data centres are to have layered technical and physical controls and procedures in place to protect the perimeter, building and integrity of the data halls. Appropriate controls include, but are not limited to, security cameras, intruder detection systems, physical access controls and security personnel.

Where Partners utilise public cloud services to store ClearBank data, Partners must ensure that formal due diligence and ongoing oversight is conducted to ensure that layered technical and physical controls and procedures in place to protect Partner assets.

Annual

To protect data and assets held within data centres from the risk of loss, damage or theft resulting from unauthorised access.

Information security

Reference
Requirement
Description
Minimum Frequency
Purpose

IS-001

Information security framework

Partners must establish a framework for Information Security governance to ensure there is appropriate understanding of their people, process, technology environment and the effectiveness of their information security controls.

The information security framework must be documented and include administrative, technical, and physical measures to protect data from unauthorised access, loss, misuse, alteration or destruction.

Continuous

An effective security governance framework sets the overall security tone and posture for the organisation.

IS-002

Information risk management

Partners must establish an information security risk management program that effectively assesses, mitigates and monitors security risks throughout and around its environments.

Continuous

Risk Management enables visibility of, and accountability for, security risks impacting the organisation and drives informed decision making.

IS-003

Acceptable use

Partners should publish acceptable use requirements for their systems and data to inform all partner personnel of the requirements they must abide by to reduce partners’ exposer to security risk.

Appropriate steps should be taken to ensure compliance to these requirements (e.g. training, testing, monitoring and disciplinary action).

Continuous

Acceptable use requirements help to underpin the control environment protecting data and assets.

IS-004

Supply chain security

Partners must maintain a supplier security assurance process to ensure their sub-contractors and data sub-processors are risk assessed, subject to appropriate due diligence, commit to proportionate contractual security obligations protecting any ClearBank data they access, and are subject to regular oversight to ensure that all critical security controls remain design and operationally effective.

Annual

Provides assurance that Partners’ suppliers will maintain appropriate security controls to protect ClearBank’s interests.

IS-005

Security breach notification

Partners must notify ClearBank within 48 hours of identifying any actual or suspected security incident impacting or involving ClearBank systems, ClearBank data processed by the partner (or by a sub-processor of the partner), or ClearBank’s sites and facilities.

Partners must keep records of all investigations and remedial actions relating to the Security incident, including identifying the impact of the incident and steps taken to mitigate the effects.

Continuous

Breach notification requirements ensure ClearBank and other relevant stakeholders are informed about incidents that may impact the bank and can respond in an appropriate and timely manner.

IS-006

Security training

Partners must ensure that all personnel undertake mandatory information security training within one month of joining their organisation, and at least annually thereafter. Training content should include coverage of common threats/attacks, essential controls and policies as well as an assessment to confirm the content was retained and understood.

Annual

Effective personnel training and education supports all other controls protecting data and assets.

IS-007

Security incident management

Partners must establish a Security incident management process that effectively validates, contains and mitigates security incidents within the Partners' environment.

Partners must regularly test their incident response plans to ensure the effectiveness of their response in the event of a genuine incident.

Annual Testing

An incident management and response process helps to ensure that incidents are quickly contained and prevented from escalating.

IS-008

Asset management

Partners must maintain an effective asset management process. Asset management should govern the lifecycle of assets from acquisition to retirement, providing visibility of and security to all classes of asset in the environment.

Continuous

A complete and accurate inventory of information and technology assets is essential for ensuring appropriate controls are maintained to protect them.

IS-009

Network security

Partners must ensure all IT Systems it operates (and those operated on its behalf by a sub-contractor) are protected from unauthorised lateral movement of threats within its (and any relevant sub-contractors’) network. Partners must monitor the flows of data transiting its networks to identify and analyse anomalous access patterns or activities in the data.

Continuous

If Network Security controls are not implemented, external or internal networks could be subverted by attackers and unauthorised access could be gained to data and/or systems.

IS-010

Log management

Partners must ensure that there is an established log management framework which confirms that key IT systems including applications, networking equipment, security devices and servers are set to log key events. Logs must be centralised, secured and retained by Partners for a minimum period of 12 months to support necessary investigations.

Continuous

This control will enable Partners to detect and respond to inappropriate, malicious or anomalous activities on their systems within reasonable timescales.

IS-011

Malware defenses

Partners must have policies, procedures and supporting processes and technical measures in place to prevent the execution of malware on end-point devices (i.e. staff laptops, and mobile devices) and IT infrastructure network and systems components.

Malware defenses should include mechanisms that perform behavioral analysis of executable code and sandboxing capabilities.

Continuous

Anti-malware solutions are vital for protection against the impact of malicious code.

IS-012

Secure configuration standards

Partners must have an established framework to ensure that all systems and networking equipment are securely configured in accordance with Industry Standards (e.g. CIS).

Continuous

Standard build controls help to protect systems/data from unauthorised access.

IS-013

Endpoint security

Partners must ensure that endpoints used to access ClearBank Data are hardened to protect against attacks. Endpoint security build must include:

  • Disk Encryption.
  • Disabling all un-needed software/services/ports
  • Disabling administration rights for local users.

Continuous

If this control is not implemented, endpoints may be vulnerable to attacks.

IS-014

Encryption

Partners must ensure that ClearBank data is encrypted at rest within using industry-standard encryption algorithms (AES 256-bit encryption or better). Partners must encrypt all ClearBank data in transit, including personal data and backups, using industry-standard cryptographic protocols (TLS 1.2 or better).

Continuous

Encryption is crucial to maintain the confidentiality and integrity of data at rest and in transit.

IS-015

Data leakage prevention

Partners must maintain measures to protect against inappropriate data leakage including, but not limited to, monitoring and responding to the following:

  • Email and other communication channels for unauthorised transfer of information outside Partners network.
  • Internet / Web Gateway (including online storage and webmail)
  • Loss or theft of data on portable electronic media (including data on laptops, mobile devices, and portable media).
  • Unauthorised transfer of Information to portable media.
  • Insecure Information exchange with third parties (e.g., subcontractors).
  • Inappropriate printing or copying of data.

Continuous

Appropriate controls must be operated effectively in order to ensure that confidential information is restricted to those who should be allowed to access it (confidentiality), protected from unauthorised changes (integrity) and can be retrieved and presented when it is required (availability).

IS-016

Secure development

Where Partners develop applications, the use of secure coding practices, including OWASP Top 10 application risks, must be included. Applications must be developed in a secure environment.

Where Partners develop applications, a Secure Development Lifecycle (SDLC) framework must be established to prevent security breaches and to identify and remediate vulnerabilities in the code during the development process.

Continuous

Controls protecting application development help to ensure that applications are secure prior to deployment.

IS-017

Penetration testing

Partners must engage with an independent external security tester to perform an assessment of their IT infrastructure and web applications. Penetration testing must be conducted on an annual basis at minimum to identify, prioritise and resolve any actively exploitable vulnerabilities in a timely manner.

Critical findings should follow a predetermined remediation timeline reflective to industry standards.

Annual

If this control is not implemented, Partners may be unable to assess the cyber threats they face and the appropriateness and strength of their defenses.

IS-018

Logical Access Management (LAM)

Access to Partners’ systems and data must be restricted and should be managed in line with the following principles:

  • The need-to-know principle that people should only have access to Information they are required to know in order to perform their authorised duties;
  • The principle of Least Privilege that states people should only have the minimum level of privilege necessary to perform their authorized duties; and
  • The segregation of duties principle that at least two individuals are responsible for the separate parts of any task to prevent error and fraud.

Continuous

Appropriate LAM controls help to ensure that data and systems are protected from inappropriate usage.

IS-019

Vulnerability management

Partners must maintain policies, procedures and supporting processes and technical measures to enable the timely detection of vulnerabilities within its applications, infrastructure, network and system components.

Critical findings should follow a predetermined remediation timeline reflective to industry standards.

Quarterly

If this control is not implemented, attackers could exploit vulnerabilities within systems to carry out attacks against Partners’ systems.

IS-020

Patch management

Partners must maintain policies, procedures and supporting processes and technical measures to enable the timely deployment of new security patches to all end-point devices and IT infrastructure, network and system components. If a system cannot be patched, Partners must implement appropriate controls to mitigate the risk.

Monthly

If this control is not implemented, services may be vulnerable to security issues which could compromise data, cause loss of service or enable other malicious activity.

IS-021

Mobile device management

Partners must maintain policies, procedures, and supporting processes to ensure that where ClearBank data is accessible on mobile devices, appropriate security measures are implemented to protect such data whilst it is being accessed, processed, or stored on those mobile devices. Where Partners’ employees are permitted to use personal devices to access ClearBank data, Partners must implement a Bring Your Own Device (BYOD) policy that requires appropriate controls are implemented and maintained to restrict data to approved users and applications.

Continuous

Mobile device management solutions implement security policies, settings, and software configurations to identify potential mobile device vulnerabilities and reduce the risk of data being compromised.

IS-022

Environment management

Partners must ensure that separate environments are used for development, testing and production.

ClearBank’s data must not be stored or processed in partners’ test environments or any other environments that are not protected by controls at least commensurate to those protecting their production environments.

Continuous

These requirements are designed to ensure that data is not negatively impacted by activities performed in environments that are not subject to the same security configurations as the production environment.

IS-023

Business continuity and disaster recovery

Partners must maintain Business Continuity (BC) and Disaster Recovery (DR) policies, procedures, and supporting processes to ensure effective response to disruptions and incidents.

Partners BCP and DR plans must detail critical activities, processes, systems, people and timelines, and must be reviewed, tested and updated at least annually.

Annual Testing

These requirements seek to preserve the resilience of security controls used to protect partners systems and data.

Personnel security

Reference
Requirement
Descriptions
Minimum Frequency
Purpose

HR-001

HR-002

HR-003

Identity verification

Address verification

Credit check

Partners will perform background checks on all new personnel, including but not limited to the following:

  • Checking valid, original photographic identity evidence.
  • Ensuring new personnel reside at a fixed abode by obtaining a suitable and recent document addressed to the individual that bears their home address.
  • Undertaking a credit and bankruptcy check of all new personnel.

One time

Background checks prove that personnel are who they say they are.

Physical address of the individual is to corroborate identity checks.

Credit checks can identify individuals who may pose a greater risk if subject to external financial pressure.

HR-004

Reference checks

Partners will:

  • Verify the employment history of new personnel (last three years at minimum).
  • Conduct reference checks to confirm that the employment history was without incident.

One time

To confirm the suitability and integrity of new personnel and to verify that references provided are genuine.

HR-005

Criminal history checks

Partners will (where permitted by local legislation) undertake, via appropriate agencies, a check for criminal convictions.

One time

These checks can help to determine whether personnel are of good character and guard against the unauthorised disclosure of confidential data by individuals with a criminal or malicious intent.

Information security oversight approach

Partner oversight

This is how we ensure our partners comply with the PSCRs and maintain a strong security posture.

References
Requirement
Description
Minimum frequency
Purpose

SO-001

Security audit rights

ClearBank maintains the right to conduct on-site or remote audits of partners’ security controls on an annual basis to verify compliance with the PSCRs.

Annual

Audits provide ClearBank with a mechanism to actively verify partners’ compliance with the PSCRs and to observe the operational effectiveness of specific controls.

SO-002

Security compliance questionnaires

ClearBank will require partners to complete and return a security compliance questionnaire biannually. These questionnaires must be completed as thoroughly as possible, attaching appropriate evidence, as required.

Partners must notify ClearBank in the event of material changes being made to security controls and infrastructure referred to in their most recent questionnaire submission.

Biannual

ClearBank’s security questionnaires provide a high-level, point-in-time overview of partners’ security controls.

SO-003

OSINT Scan

ClearBank will use advanced OSINT (Open-Source Intelligence) tools (e.g. Panorays) to unobtrusively assess the external security posture of partners on a continuous basis.

Continuous

ClearBank utilises OSINT tools to monitor partners’ external security posture by means of publicly accessible data sources.

SO-004

Critical finding remediation

Where ClearBank’s PSCR oversight mechanisms identify Critical findings, partners must engage with ClearBank (and/or Panorays, if appropriate) to challenge or agree remediation plans in order to resolve such findings in a timely manner.

Continuous

Critical findings must be promptly and effectively managed to ensure that both ClearBank and its partners are not exposed to excessive levels of security risk.

SO-005

Certification/assurance documentation

Upon request, partners must provide ClearBank with the latest copies of independent certifications or reports obtained by partners that demonstrate continued achievement of any Information Security related accreditations communicated to ClearBank during the partner onboarding process.

Annual

Where partners have referred to achieving independently assessed security accreditations (e.g. ISO 27001), ClearBank will require evidence that partners continue to maintain such standards throughout the partnership.

SO-006

Key Risk Indicators (KRIs)

Partners must provide ClearBank with regular reporting against defined security KRI metrics. These KRIs will form a core part of Service Review Committee (SRC) reporting.

Quarterly

KRIs provide ClearBank with a consistent means to monitor the operation of key controls maintained by our partners.

SO-007

Partner security representation (SRC)

Partners must ensure that an appropriate representative of their security function attends the SRC to enable discussion around KRIs, trends, remedial actions and other relevant security matters that may impact the partnership.

Quarterly

Participation in SRC is essential to building and maintaining effective and cohesive working relationships between the security teams of ClearBank and its partners.