| 1. | Comprehensive security framework standard: VASPs are expected to utilise a balanced approach to ensure that security resources are allocated appropriately across their entire organisation, preventing security gaps and minimising single points of failure that attackers can exploit. VASPs are expected to implement a documented security framework that addresses both wallet infrastructure and enterprise security. The framework is expected to include, but not be limited to —
| a. | regular security assessments of all system components; | | b. | formal risk assessment methodology, including risks inherent in both centralised and decentralised structures; | | c. | governance structure with clear security accountability; and | | d. | adoption of best in class standards.
|
|
| 2. | Secure development lifecycle standard: To ensure that security is integrated throughout the development process, reducing the accumulation of security debt even in rapid development environments, VASPs are expected to establish and adhere to a formal secure development lifecycle methodology that incorporates security at every stage, from requirements gathering to deployment and maintenance. This methodology is expected to include, but not be limited to—
| a. | defining security requirements and mandatory security review gates before deployment; | | b. | threat modelling for new features and secure coding standards; and | | c. | post-implementation validation of the efficacy of the measures deployed.
|
|
| 3. | Workforce security management standard: To address the unique challenges of the distributed workforce model common in the VA space, and to reduce the risk of compromised developer workstations leading to system intrusions, VASPs are expected to implement comprehensive workforce security controls, including but not limited to—
| a. | mandatory endpoint protection for all devices with access to any systems, including but not limited to production systems; | | b. | regular security awareness training specific to common threats; | | c. | background checks for all personnel with access to sensitive or critical systems; | | d. | formalised onboarding and offboarding procedures for all staff, including contractors; and | | e. | minimum security requirements for personal devices used for work purposes.
|
|
| 4. | Infrastructure management standard: To ensure visibility across dispersed infrastructure, reducing security gaps at environment boundaries and enabling effective security monitoring, VASPs are expected to maintain comprehensive infrastructure documentation and controls, including but not limited to—
| a. | comprehensive asset inventories across all environments; | | b. | network diagrams and data flow mappings; | | c. | centralised configuration management and formal change control processes; and | | d. | regular infrastructure security assessments.
|
|
| 5. | Third-party technology service provider standard: To ensure risks arising from the use of third-party technology services are incorporated as part of the VASP's framework, VASPs are expected to implement appropriate standards and controls for each third-party technology service provider, which are proportionate to the nature, scale, complexity and importance of the services provided, including but not limited to—
| a. | conducting comprehensive due diligence on all such service providers; | | b. | having in place written contractual arrangements with all such service providers; and | | c. | adopting multi-vendor strategies where possible and/or practicable.
|
|