Schedule 1 – Guidance on Technology Governance and Risk Assessment Frameworks
Introduction
All VASPs are required to implement a Technology Governance and Risk Assessment Framework under Rule I.A.1 of this Technology and Information Rulebook. This Schedule 1 is provided by VARA as Guidance to VASPs, to assist them in creating effective Technology Governance and Risk Assessment Frameworks.
VASPs should consider all categories of risk and the risk mitigation standards (as may be applicable), set out in this Schedule 1 of the Technology & Information Rulebook, when creating their Technology Governance and Risk Assessment Frameworks.
Nothing in this Schedule 1 of the Technology & Information Rulebook shall limit, reduce or otherwise amend any Rules, or other requirements, with which VASPs must comply, under any applicable laws or regulations, Regulations, Rules or Directives, including but not limited to in respect of Personal Data protection.
A. Risk Category 1: Organisational
1. Comprehensive security framework standard: VASPs are expected to utilise a balanced approach to ensure that security resources are allocated appropriately across their entire organisation, preventing security gaps and minimising single points of failure that attackers can exploit. VASPs are expected to implement a documented security framework that addresses both wallet infrastructure and enterprise security. The framework is expected to include, but not be limited to —
a. regular security assessments of all system components; b. formal risk assessment methodology, including risks inherent in both centralised and decentralised structures; c. governance structure with clear security accountability; and d. adoption of best in class standards.
2. Secure development lifecycle standard: To ensure that security is integrated throughout the development process, reducing the accumulation of security debt even in rapid development environments, VASPs are expected to establish and adhere to a formal secure development lifecycle methodology that incorporates security at every stage, from requirements gathering to deployment and maintenance. This methodology is expected to include, but not be limited to—
a. defining security requirements and mandatory security review gates before deployment; b. threat modelling for new features and secure coding standards; and c. post-implementation validation of the efficacy of the measures deployed.
3. Workforce security management standard: To address the unique challenges of the distributed workforce model common in the VA space, and to reduce the risk of compromised developer workstations leading to system intrusions, VASPs are expected to implement comprehensive workforce security controls, including but not limited to—
a. mandatory endpoint protection for all devices with access to any systems, including but not limited to production systems; b. regular security awareness training specific to common threats; c. background checks for all personnel with access to sensitive or critical systems; d. formalised onboarding and offboarding procedures for all staff, including contractors; and e. minimum security requirements for personal devices used for work purposes.
4. Infrastructure management standard: To ensure visibility across dispersed infrastructure, reducing security gaps at environment boundaries and enabling effective security monitoring, VASPs are expected to maintain comprehensive infrastructure documentation and controls, including but not limited to—
a. comprehensive asset inventories across all environments; b. network diagrams and data flow mappings; c. centralised configuration management and formal change control processes; and d. regular infrastructure security assessments.
5. Third-party technology service provider standard: To ensure risks arising from the use of third-party technology services are incorporated as part of the VASP's framework, VASPs are expected to implement appropriate standards and controls for each third-party technology service provider, which are proportionate to the nature, scale, complexity and importance of the services provided, including but not limited to—
a. conducting comprehensive due diligence on all such service providers; b. having in place written contractual arrangements with all such service providers; and c. adopting multi-vendor strategies where possible and/or practicable.
B. Risk Category 2: Technical
1. Key generation standard: To reduce the risk of weak or predictable keys that could be exploited by attackers, VASPs are expected to generate cryptographic keys using industry-approved methods with sufficient entropy, including but not limited to—
a. hardware security modules (“HSMs”) for key generation, where possible; b. formal validation of key generation routines; c. best in class security processes for all cryptographic keys, including minimum standards for encryption; d. separation of duties during key generation; and e. comprehensive audit logging of all generation activities.
2. Wallet creation standard: To ensure that wallets are created in a controlled, secure environment with appropriate oversight, VASPs are expected to implement a secure wallet creation process that includes, but is not limited to—
a. formal wallet creation procedures with separation of duties; b. multiple levels of approval for new wallet creation; c. tamper-evident processes for all creation activities; d. comprehensive logging and monitoring of wallet creation; and e. physical security controls for creation environments.
3. Key storage security standard: To reduce the risk of key compromise, which is the most direct path to asset theft, VASPs are expected to store cryptographic keys using defence-in-depth approaches, including but not limited to—
a. HSMs for critical key storage; b. appropriate separation of key components for keys-at-rest including both physical decentralisation and encryption/cryptographic methods; c. restricted physical and logical access to key storage mechanisms; and d. regular testing of key backup and recovery procedures.
4. Smart contract security standard: To reduce the risk of vulnerabilities in smart contract code that could be exploited to manipulate transactions or extract funds, VASPs are expected to implement formal smart contract review and testing processes, including but not limited to—
a. static and dynamic code analysis; b. independent third-party audits before deployment and formal verification where applicable; c. comprehensive penetration testing; and d. regular re-assessment of deployed contracts.
5. Multi-signature security standard: To eliminate single points of failure in wallet security and ensure resilience against compromise of individual signers, VASPs are expected to implement robust multi-signature requirements, including—
a. minimum multi-signatures for high-value operations, where the minimum number of signers (M) is greater than the total number of signatories (N) divided by two (2) (i.e. M > N/2); b. geographic distribution of signing authorities; c. diverse authorisation mechanisms and separation of duties between signers; and d. regular testing of signature processes.
6. Transaction verification standard: To reduce the risk of authorising fraudulent transactions, VASPs are expected to implement comprehensive transaction verification processes, including but not limited to—
a. mandatory multi-level verification; b. automated detection of anomalous transactions in real-time triggering immediate notifications; c. clear procedures for signers to verify and validate transactions; d. formal process for addressing verification anomalies; and e. immediate halting of the signing process when errors are reported.
7. Key compromise response standard: To ensure organisations can respond effectively to suspected or confirmed key compromises and to limit potential damage, VASPs are expected to develop and maintain a formal key compromise response plan that includes, but is not limited to—
a. clear triggers for activation, with pre-authorised emergency response procedures and formal communication protocols; b. rapid key rotation capabilities; and c. regular testing and simulation.
8. Key holder management standard: To reduce the risk of unauthorised access to cryptographic keys through proper lifecycle management of key holders, VASPs are expected to implement comprehensive key holder management processes, including but not limited to—
a. just-in-time access provisioning; b. regular access reviews and immediate revocation processes; c. segregation of duties; and d. secure backup key holder procedures.
9. Authentication control standard: To reduce the risk of unauthorised access through comprehensive authentication requirements, VASPs are expected to implement strong authentication controls, including but not limited to—
a. multi-factor authentication for all access to systems with cryptographic keys; b. hardware-based authentication for critical operations, with biometric verification where appropriate; c. time-based restrictions on authentication attempts; and d. continuous validation of session authenticity.
10. Developer workstations standard: To address a common initial access vector for attackers by securing the development environment, VASPs are expected to implement strict controls for developer workstations, including but not limited to—
a. endpoint protection and monitoring; b. network segmentation; c. prohibition of direct production access; d. secure secret management solutions; and e. regular security assessments.
11. Security testing standard: To ensure ongoing identification and remediation of vulnerabilities before they can be exploited, VASPs are expected to conduct appropriate security tests regularly, and in all events prior to any update to a production system. Such security test should include, but not be limited to—
a. annual penetration testing by qualified third parties; b. quarterly vulnerability assessments; c. continuous automated security scanning; d. regular best practice security exercises for high-value systems; and e. formal remediation tracking for identified vulnerabilities.
12. Unauthorised recovery standard: To reduce the risk of unauthorised recovery of cryptographic keys from disposed media, VASPs are expected to implement comprehensive data sanitisation policies and procedures that ensure—
a. secure disposal of all media containing sensitive information; b. cryptographic erasure or physical destruction of media containing cryptographic keys; c. formal chain of custody documentation for media disposal; d. regular assessment of sanitisation effectiveness; and e. secure decommissioning procedures for all systems.
13. Audit logging standard: To enhance visibility into system activities and support effective investigation of security incidents, VASPs are expected to implement comprehensive monitoring and logging systems that—
a. capture all security-relevant events and store logs securely with tamper-evidence, maintaining logs for a minimum of one year; b. include all wallet and key operations; and c. implement real-time alerting for security events.
C. Risk Category 3: Detection and Response
1. Transaction monitoring standard: To enable early detection of fraudulent activities, VASPs are expected to implement comprehensive transaction monitoring, including but not limited to—
a. behavioural analysis to detect anomalous patterns, and rule-based monitoring for known suspicious activities; b. machine learning capabilities for advanced threat detection; c. real-time alerting for Suspicious Transactions; and d. regular review and refinement of detection methodologies.
2. Internal user activity monitoring standard: To enhance the ability to identify compromised accounts or insider threats early, VASPs are expected to implement monitoring of internal user activities, including but not limited to—
a. authentication attempts and failures and pattern analysis to detect insider threats; b. access to sensitive or critical systems and administrative activities; and c. segregation of monitoring from operational teams.
3. Enhanced monitoring standard: To provide visibility into activities on critical systems, enabling early detection of any compromises, VASPs are expected to implement enhanced monitoring of developer and signing systems, including but not limited to—
a. process creation and termination monitoring; b. network connection analysis and file system change detection; c. software installation and execution control; and d. user behaviour analytics.
4. Tactical hardening standard: To enable organisations to limit attacker access once a compromise is detected, VASPs are expected to maintain capability to rapidly implement tactical hardening measures, including but not limited to—
a. emergency access revocation, including individual end-points; b. network segmentation capabilities and system isolation procedures; c. pre-approved emergency change procedures; and d. regular testing of hardening capabilities.
5. Investigation capability standard: To enhance the ability to identify attack vectors and compromised assets during incidents, VASPs are expected to maintain comprehensive investigation capabilities, including but not limited to—
a. dedicated forensic resources (internal or contracted) deployable and responsive in real-time and/or on immediate notice; b. secure evidence collection and handling procedures; c. chain of custody documentation; d. root cause analysis methodologies; and e. regular training and capability testing.
6. On-chain analysis standard: To improve the ability to trace stolen funds and identify potential recovery opportunities, VASPs are expected to develop and maintain on-chain analysis capabilities, including but not limited to—
a. transaction tracing tools and wallet attribution capabilities; b. collaboration with other VASPs for fund tracing; and c. regular training and capability development.
7. Remediation standard: To reduce the risk of re-exploitation, VASPs are expected to implement comprehensive remediation procedures, including but not limited to—
a. complete rotation of all secret components (including but not limited to passwords, keys and key shards) after incidents; b. system rebuilding from secure baselines and enhanced monitoring post-incident; c. formal verification of attacker removal; and d. post-incident review and lessons learned.
D. Risk Category 4: Customer VAs
1. Customer authentication standard: To reduce the risk of any customer account compromises, VASPs are expected to implement robust customer authentication, including but not limited to—
a. strong multifactor authentication; b. prohibition of instant messaging verification for high-risk operations; c. risk-based authentication challenges and biometric authentication where appropriate; and d. suspicious login detection and alerting.
2. Withdrawal control standard: To limit potential losses from compromised accounts through structured withdrawal controls, VASPs are expected to implement comprehensive withdrawal controls, including—
a. tiered withdrawal limits; b. cooling periods for large transactions; c. verification for high-value withdrawals outside of prescribed limits and/or ‘bands’; d. verification for critical transactions; e. behavioural analysis to detect anomalous withdrawal patterns; and f. graduated approval requirements based on transaction value.
3. User education standard: To reduce customer vulnerability to social engineering and other attacks through improved awareness, VASPs are expected to implement comprehensive user education programmes, including but not limited to—
a. security best practices; b. common attack vector awareness and secure account management guidance; and c. regular security notifications.
4. VA Wallet concentration risk standard: To reduce the risk of concentration of Client VAs in a single or small number of VA Wallets, VASPs are expected to implement controls for the safe diversification of Client VAs across VA Wallets, including but not limited to—
a. cold storage VA Wallets; b. VARA Licensed VASPs providing Custody Services; and c. physical distribution of servers storing information through which VA Wallets can be accessed and/or controlled.
E. Risk Category 5: Digital Operational Resilience
1. Digital operational resilience test standard: To achieve a high level of digital operational resilience, VASPs are expected to carry out digital operational resilience testing including, but not limited to—
a. establishing and maintaining a sound and comprehensive digital operational resilience testing programme, including a range of assessments, tests, methodologies, practices and tools as set out below in paragraph 2; b. identifying weaknesses, deficiencies and gaps in digital operational resilience and promptly implementing corrective measures; c. when conducting the digital operational resilience testing programme, VASPs should follow a risk-based approach taking into account any specific risks to which the VASP is or might be exposed, the criticality of assets and of services provided by or to the VASP, as well as any other material risk factor; d. ensuring that tests are undertaken by independent external parties; e. classifying and remedying all issues revealed throughout the performance of the tests and establishing internal validation processes to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed; and f. ensuring that appropriate tests are conducted at least yearly on all systems and applications supporting Critical or Important Functions.
2. The digital operational resilience testing programme referred to in paragraph 1 should provide for testing of tools and systems through the execution of appropriate tests, including but not limited to—
a. vulnerability assessments and scans; b. open source analyses; c. network security assessments; d. gap analyses; e. physical security reviews; f. questionnaires and scanning software solutions; g. source code reviews; h. scenario-based tests; i. compatibility testing; j. performance testing; k. end-to-end testing; and l. penetration testing.