Partner security control requirements
Partner security control requirements (PCSRs) are the security controls we expect our Embedded Banking Partners to maintain, as a minimum, throughout their partnership with us.
Physical Risk Assessments
Partners will ensure that security risk assessments are undertaken to review physical security controls and processes at sites and premises undertaking activities supporting the partnership with ClearBank.
Assessments must be completed by suitably experienced or qualified individuals and must consider the design and operational effectiveness of physical security controls to mitigate the current threat profile of the facility and any emerging issues that may impact the site.
Security Risk Assessments provide an accurate snapshot of Partners' physical security environments, controls and processes - and their current operational effectiveness.
Electronic, mechanical or digital physical access controls are to be deployed and managed in all Partner premises.
All security systems are to be installed, operated and maintained in accordance with applicable legal and regulatory requirements. Equipment selection must be proportionate to current physical security threats identified during the Security Risk Assessment conducted for each location
Effective access control is part of a layered approach to protecting premises from unauthorised access and to ensure the security of business assets.
Physical security personnel must be deployed where it is appropriate and proportionate in view of the Security Risk Assessment conducted for each facility, as per PH-001.
Physical security personnel are part of the layered controls to protect premises and assets from unauthorised access.
All data centres and cloud provider facilities used or relied upon by Partners must be secured to prevent unauthorised access or damage to ClearBank data.
All data centres are to have layered technical and physical controls and procedures in place to protect the perimeter, building and integrity of the data halls. Appropriate controls include, but are not limited to, security cameras, intruder detection systems, physical access controls and security personnel.
Where Partners utilise public cloud services to store ClearBank data, Partners must ensure that formal due diligence and ongoing oversight is conducted to ensure that layered technical and physical controls and procedures in place to protect Partner assets.
To protect data and assets held within data centres from the risk of loss, damage or theft resulting from unauthorised access.
Information security framework
Partners must establish a framework for Information Security governance to ensure there is appropriate understanding of their people, process, technology environment and the effectiveness of their information security controls.
The information security framework must be documented and include administrative, technical, and physical measures to protect data from unauthorised access, loss, misuse, alteration or destruction.
An effective security governance framework sets the overall security tone and posture for the organisation.
Information risk management
Partners must establish an information security risk management program that effectively assesses, mitigates and monitors security risks throughout and around its environments.
Risk Management enables visibility of, and accountability for, security risks impacting the organisation and drives informed decision making.
Partners should publish acceptable use requirements for their systems and data to inform all partner personnel of the requirements they must abide by to reduce partners’ exposer to security risk.
Appropriate steps should be taken to ensure compliance to these requirements (e.g. training, testing, monitoring and disciplinary action).
Acceptable use requirements help to underpin the control environment protecting data and assets.
Supply chain security
Partners must maintain a supplier security assurance process to ensure their sub-contractors and data sub-processors are risk assessed, subject to appropriate due diligence, commit to proportionate contractual security obligations protecting any ClearBank data they access, and are subject to regular oversight to ensure that all critical security controls remain design and operationally effective.
Provides assurance that Partners’ suppliers will maintain appropriate security controls to protect ClearBank’s interests.
Security breach notification
Partners must notify ClearBank within 48 hours of identifying any actual or suspected security incident impacting or involving ClearBank systems, ClearBank data processed by the partner (or by a sub-processor of the partner), or ClearBank’s sites and facilities.
Partners must keep records of all investigations and remedial actions relating to the Security incident, including identifying the impact of the incident and steps taken to mitigate the effects.
Breach notification requirements ensure ClearBank and other relevant stakeholders are informed about incidents that may impact the bank and can respond in an appropriate and timely manner.
Partners must ensure that all personnel undertake mandatory information security training within one month of joining their organisation, and at least annually thereafter. Training content should include coverage of common threats/attacks, essential controls and policies as well as an assessment to confirm the content was retained and understood.
Effective personnel training and education supports all other controls protecting data and assets.
Security incident management
Partners must establish a Security incident management process that effectively validates, contains and mitigates security incidents within the Partners' environment.
Partners must regularly test their incident response plans to ensure the effectiveness of their response in the event of a genuine incident.
An incident management and response process helps to ensure that incidents are quickly contained and prevented from escalating.
Partners must maintain an effective asset management process. Asset management should govern the lifecycle of assets from acquisition to retirement, providing visibility of and security to all classes of asset in the environment.
A complete and accurate inventory of information and technology assets is essential for ensuring appropriate controls are maintained to protect them.
Partners must ensure all IT Systems it operates (and those operated on its behalf by a sub-contractor) are protected from unauthorised lateral movement of threats within its (and any relevant sub-contractors’) network. Partners must monitor the flows of data transiting its networks to identify and analyse anomalous access patterns or activities in the data.
If Network Security controls are not implemented, external or internal networks could be subverted by attackers and unauthorised access could be gained to data and/or systems.
Partners must ensure that there is an established log management framework which confirms that key IT systems including applications, networking equipment, security devices and servers are set to log key events. Logs must be centralised, secured and retained by Partners for a minimum period of 12 months to support necessary investigations.
This control will enable Partners to detect and respond to inappropriate, malicious or anomalous activities on their systems within reasonable timescales.
Partners must have policies, procedures and supporting processes and technical measures in place to prevent the execution of malware on end-point devices (i.e. staff laptops, and mobile devices) and IT infrastructure network and systems components.
Malware defenses should include mechanisms that perform behavioral analysis of executable code and sandboxing capabilities.
Anti-malware solutions are vital for protection against the impact of malicious code.
Secure configuration standards
Partners must have an established framework to ensure that all systems and networking equipment are securely configured in accordance with Industry Standards (e.g. CIS).
Standard build controls help to protect systems/data from unauthorised access.
Partners must ensure that endpoints used to access ClearBank Data are hardened to protect against attacks. Endpoint security build must include:
- Disk Encryption.
- Disabling all un-needed software/services/ports
- Disabling administration rights for local users.
If this control is not implemented, endpoints may be vulnerable to attacks.
Partners must ensure that ClearBank data is encrypted at rest within using industry-standard encryption algorithms (AES 256-bit encryption or better). Partners must encrypt all ClearBank data in transit, including personal data and backups, using industry-standard cryptographic protocols (TLS 1.2 or better).
Encryption is crucial to maintain the confidentiality and integrity of data at rest and in transit.
Data leakage prevention
Partners must maintain measures to protect against inappropriate data leakage including, but not limited to, monitoring and responding to the following:
- Email and other communication channels for unauthorised transfer of information outside Partners network.
- Internet / Web Gateway (including online storage and webmail)
- Loss or theft of data on portable electronic media (including data on laptops, mobile devices, and portable media).
- Unauthorised transfer of Information to portable media.
- Insecure Information exchange with third parties (e.g., subcontractors).
- Inappropriate printing or copying of data.
Appropriate controls must be operated effectively in order to ensure that confidential information is restricted to those who should be allowed to access it (confidentiality), protected from unauthorised changes (integrity) and can be retrieved and presented when it is required (availability).
Where Partners develop applications, the use of secure coding practices, including OWASP Top 10 application risks, must be included. Applications must be developed in a secure environment.
Where Partners develop applications, a Secure Development Lifecycle (SDLC) framework must be established to prevent security breaches and to identify and remediate vulnerabilities in the code during the development process.
Controls protecting application development help to ensure that applications are secure prior to deployment.
Partners must engage with an independent external security tester to perform an assessment of their IT infrastructure and web applications. Penetration testing must be conducted on an annual basis at minimum to identify, prioritise and resolve any actively exploitable vulnerabilities in a timely manner.
Critical findings should follow a predetermined remediation timeline reflective to industry standards.
If this control is not implemented, Partners may be unable to assess the cyber threats they face and the appropriateness and strength of their defenses.
Logical Access Management (LAM)
Access to Partners’ systems and data must be restricted and should be managed in line with the following principles:
- The need-to-know principle that people should only have access to Information they are required to know in order to perform their authorised duties;
- The principle of Least Privilege that states people should only have the minimum level of privilege necessary to perform their authorized duties; and
- The segregation of duties principle that at least two individuals are responsible for the separate parts of any task to prevent error and fraud.
Appropriate LAM controls help to ensure that data and systems are protected from inappropriate usage.
Partners must maintain policies, procedures and supporting processes and technical measures to enable the timely detection of vulnerabilities within its applications, infrastructure, network and system components.
Critical findings should follow a predetermined remediation timeline reflective to industry standards.
If this control is not implemented, attackers could exploit vulnerabilities within systems to carry out attacks against Partners’ systems.
Partners must maintain policies, procedures and supporting processes and technical measures to enable the timely deployment of new security patches to all end-point devices and IT infrastructure, network and system components. If a system cannot be patched, Partners must implement appropriate controls to mitigate the risk.
If this control is not implemented, services may be vulnerable to security issues which could compromise data, cause loss of service or enable other malicious activity.
Mobile device management
Partners must maintain policies, procedures, and supporting processes to ensure that where ClearBank data is accessible on mobile devices, appropriate security measures are implemented to protect such data whilst it is being accessed, processed, or stored on those mobile devices. Where Partners’ employees are permitted to use personal devices to access ClearBank data, Partners must implement a Bring Your Own Device (BYOD) policy that requires appropriate controls are implemented and maintained to restrict data to approved users and applications.
Mobile device management solutions implement security policies, settings, and software configurations to identify potential mobile device vulnerabilities and reduce the risk of data being compromised.
Partners must ensure that separate environments are used for development, testing and production.
ClearBank’s data must not be stored or processed in partners’ test environments or any other environments that are not protected by controls at least commensurate to those protecting their production environments.
These requirements are designed to ensure that data is not negatively impacted by activities performed in environments that are not subject to the same security configurations as the production environment.
Business continuity and disaster recovery
Partners must maintain Business Continuity (BC) and Disaster Recovery (DR) policies, procedures, and supporting processes to ensure effective response to disruptions and incidents.
Partners BCP and DR plans must detail critical activities, processes, systems, people and timelines, and must be reviewed, tested and updated at least annually.
These requirements seek to preserve the resilience of security controls used to protect partners systems and data.
Partners will perform background checks on all new personnel, including but not limited to the following:
- Checking valid, original photographic identity evidence.
- Ensuring new personnel reside at a fixed abode by obtaining a suitable and recent document addressed to the individual that bears their home address.
- Undertaking a credit and bankruptcy check of all new personnel.
Background checks prove that personnel are who they say they are.
Physical address of the individual is to corroborate identity checks.
Credit checks can identify individuals who may pose a greater risk if subject to external financial pressure.
- Verify the employment history of new personnel (last three years at minimum).
- Conduct reference checks to confirm that the employment history was without incident.
To confirm the suitability and integrity of new personnel and to verify that references provided are genuine.
Criminal history checks
Partners will (where permitted by local legislation) undertake, via appropriate agencies, a check for criminal convictions.
These checks can help to determine whether personnel are of good character and guard against the unauthorised disclosure of confidential data by individuals with a criminal or malicious intent.
Information security oversight approach
This is how we ensure our partners comply with the PSCRs and maintain a strong security posture.
Security audit rights
ClearBank maintains the right to conduct on-site or remote audits of partners’ security controls on an annual basis to verify compliance with the PSCRs.
Audits provide ClearBank with a mechanism to actively verify partners’ compliance with the PSCRs and to observe the operational effectiveness of specific controls.
Security compliance questionnaires
ClearBank will require partners to complete and return a security compliance questionnaire biannually. These questionnaires must be completed as thoroughly as possible, attaching appropriate evidence, as required.
Partners must notify ClearBank in the event of material changes being made to security controls and infrastructure referred to in their most recent questionnaire submission.
ClearBank’s security questionnaires provide a high-level, point-in-time overview of partners’ security controls.
ClearBank will use advanced OSINT (Open-Source Intelligence) tools (e.g. Panorays) to unobtrusively assess the external security posture of partners on a continuous basis.
ClearBank utilises OSINT tools to monitor partners’ external security posture by means of publicly accessible data sources.
Critical finding remediation
Where ClearBank’s PSCR oversight mechanisms identify Critical findings, partners must engage with ClearBank (and/or Panorays, if appropriate) to challenge or agree remediation plans in order to resolve such findings in a timely manner.
Critical findings must be promptly and effectively managed to ensure that both ClearBank and its partners are not exposed to excessive levels of security risk.
Upon request, partners must provide ClearBank with the latest copies of independent certifications or reports obtained by partners that demonstrate continued achievement of any Information Security related accreditations communicated to ClearBank during the partner onboarding process.
Where partners have referred to achieving independently assessed security accreditations (e.g. ISO 27001), ClearBank will require evidence that partners continue to maintain such standards throughout the partnership.
Key Risk Indicators (KRIs)
Partners must provide ClearBank with regular reporting against defined security KRI metrics. These KRIs will form a core part of Service Review Committee (SRC) reporting.
KRIs provide ClearBank with a consistent means to monitor the operation of key controls maintained by our partners.
Partner security representation (SRC)
Partners must ensure that an appropriate representative of their security function attends the SRC to enable discussion around KRIs, trends, remedial actions and other relevant security matters that may impact the partnership.
Participation in SRC is essential to building and maintaining effective and cohesive working relationships between the security teams of ClearBank and its partners.