Office of the Superintendent of Financial Institutions
This Guideline establishes OSFI’s expectations related to technology and cyber risk management and applies to all federally regulated financial institutions (FRFIs). These expectations aim to support FRFIs in developing greater resilience to technology and cyber risks.
FRFIs should implement the expectations in this Guideline commensurate with its size; the nature, scope and complexity of its operations; and risk profile. OSFI’s expectations are technology-neutral, anticipating the need for FRFIs to compete effectively and take full advantage of digital innovation while maintaining a sound technology posture.
“Technology risk” refers to the risk arising from the inadequacy, disruption, failure, loss or malicious use of information technology systems, infrastructure, people or processes that enable and support business needs and can result in financial loss.
“Cyber risk” or “cyber security risk” is the risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of an institution’s information technology systems and/or the data contained therein.
A “technology asset” is something tangible (e.g., hardware, infrastructure) or intangible (e.g., software, data, information) that needs protection and supports the provision of technology services.
For the purpose of this Guideline, “technology” refers to “information technology” (IT). The term “cyber” also refers to “information security.” FRFIs may maintain their own definitions or employ definitions published by recognized standard-setting bodies.
A.2.1 This Guideline is organized into five domains. Each sets out key components of sound technology and cyber risk management.
Domains for the sound management of technology and cyber risk
Greater resilience to technology and cyber risks
A.3.1 The five domains in this Guideline each express a desired outcome for FRFIs to achieve through managing risk. In turn, these outcomes contribute to developing FRFIs’ resilience to technology and cyber risks.
A.4.1 Technology and cyber security best practices are dynamic. Technology and cyber risks also intersect with other risk areas. As such, FRFIs are advised to read this Guideline in conjunction with other OSFI guidance, tools and supervisory communications, as well as guidance issued by other authorities applicable to the FRFI’s operating environment; in particular:
Outcome: Technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks.
Principle 1: Senior Management should assign responsibility for managing technology and cyber risks to senior officers. It should also ensure an appropriate organizational structure and adequate resourcing are in place for managing technology and cyber risks across the FRFI.
Senior Management accountability is established. Senior Management is accountable for directing the FRFI’s technology and cyber security operations and should assign clear responsibility for technology and cyber risk governance to senior officers. Such roles may comprise: Head of Information Technology; Chief Technology Officer (CTO); Chief Information Officer (CIO); Head of Cyber Security or Chief Information Security Officer (CISO). These roles should have appropriate stature and visibility throughout the institution.
Appropriate structure, resources and training are provided. OSFI expects the FRFI to:
Please refer to OSFI’s
Corporate Governance Guideline for OSFI’s expectations of FRFI Boards of Directors in regard to business strategy, risk appetite and operational, business, risk and crisis management policies.
Principle 2: The FRFI should define, document, approve and implement a strategic technology and cyber plan(s). The plan(s) should align to the FRFI’s business strategy and set goals and objectives that are measurable and evolve with changes in the FRFI’s technology and cyber environment.
Strategy is proactive, comprehensive and measurable. The FRFI’s strategic technology and cyber plan(s) should, at a minimum:
Principle 3: The FRFI should establish a technology and cyber risk management framework (RMF). The framework should set out a risk appetite for technology and cyber risks, and define what processes and requirements the FRFI utilizes to identify, assess, manage, monitor and report on technology and cyber risks.
RMF is well-aligned and continuously improved. The FRFI should establish a framework for managing technology and cyber risks, aligned with its enterprise risk management framework. OSFI expects the FRFI to regularly review and refresh its technology and cyber RMF to make continuous improvements based on implementation, monitoring and other lessons learned (e.g., past incidents).
RMF captures key elements. At a minimum, the technology and cyber RMF should establish and govern the following elements of risk management:
Please refer to OSFI’s
Corporate Governance Guideline for OSFI’s expectations in relation to FRFI Oversight Functions, which include Risk Management, Compliance, and Internal Audit.
Outcome: A technology environment that is stable, scalable and resilient. The environment is kept current and supported by robust and sustainable technology operating processes.
Principle 4: The FRFI should implement a technology architecture framework, with supporting processes to ensure solutions are built in line with business, technology and security requirements.
Architecture framework ensures technology supports business needs. The FRFI should establish a framework of principles necessary to govern, manage, evolve and consistently implement IT architecture across the institution in support of the enterprise’s strategic technology, security and business goals and requirements.
Architecture is comprehensive. The scope of architecture principles should be comprehensive, considering such assets as: infrastructure; applications; emerging or less proven technologies; and relevant data. Systems and associated infrastructure should be designed and implemented to achieve availability, scalability, security (Secure-by-Design) and resilience (Resilience-by-Design). Resilience-by-Design requires consideration of the end-to-end flow of the business services or functions that they support, and associated internal and external dependencies. Architecture principles and controls should be embedded in the design phase of the System Development Life Cycle, prior to implementation.
Principle 5: The FRFI should maintain an updated inventory of all technology assets supporting business processes or functions. The FRFI’s asset management process should address classification of assets to facilitate risk identification and assessment, record configurations to ensure asset integrity, provide for the safe disposal of assets at the end of their life cycle, and monitor and manage technology currency.
Technology assets are managed according to established requirements based on their criticality. The FRFI should establish standards and procedures to manage technology assets according to their criticality and classification.
Asset inventory identifies and classifies technology assets. The FRFI should maintain a current and comprehensive asset management system, or inventory, that catalogues technology assets throughout their life cycle. The FRFI should implement processes to categorize technology assets based on criticality to the business and assign a security classification based on its sensitivity. This categorization should also identify critical technology assets that are considered of high value to the FRFI, could attract threat actors and cyber attacks and therefore require enhanced cyber protections. The asset inventory should be sufficiently detailed to enable the prompt identification of an asset, its location, classification and ownership. Interdependencies between assets should be documented to enable proper change and configuration management processes and to assist in response to security and operational incidents, including cyber attacks.
Inventory captures all technology assets that support the business. A comprehensive inventory, and related processes, should capture both corporate assets and non-corporate assets that interface with the FRFI’s technology infrastructure in supporting business services or functions. Such categories include:
Inventory records and manages technology asset configurations. The technology inventory should also include a system for recording and managing asset configurations to enhance visibility and mitigate the risk of technology outages and unauthorized activity. The system should record asset configuration attributes, including baseline configurations, and any subsequent, authorized changes. Processes should be in place to identify, assess and remediate discrepancies from the approved baseline configuration and report on breaches.
Safe disposal of technology assets is provided for. The FRFI should define standards and implement processes to ensure the secure disposal or destruction of assets at the end of their life cycle.
Technology currency is continuously assessed and managed. The FRFI should continuously monitor the currency of software and hardware assets used in the technology environment in support of business processes. It should proactively implement plans to mitigate and manage risks stemming from unpatched, outdated or unsupported assets, and replace or upgrade assets before maintenance ceases.
Principle 6: Effective processes are in place to govern and manage technology projects, from initiation to closure, to ensure that project outcomes are aligned with business objectives and are achieved within the FRFI’s risk appetite.
Technology projects are governed by an enterprise-wide framework. Technology projects are often distinguished by their scale and required investment, and their importance in fulfilling the FRFI’s broader strategy. As a result, they should be governed by an enterprise-wide project management framework that provides for consistent approaches and achievement of project outcomes in support of the FRFI’s technology strategy. Project performance and associated risks should be measured, monitored and periodically reported on an individual and portfolio basis. Project risk appetite and measures are informed by the FRFI’s technology and cyber RMF.
Principle 7: The FRFI should implement a System Development Life Cycle (SDLC) framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives.
SDLC framework guides system and software development. The SDLC framework should outline control activities and processes in each phase of the life cycle to achieve security, functionality and ensure that systems and software perform as expected in order to support business objectives. The SDLC phases generally comprise:
Security requirements are embedded throughout the SDLC. In addition to the general technology processes and controls, the FRFI should establish control gates to ensure that security requirements and expectations are embedded in each phase of the SDLC. Sound security requirements and controls include, but are not limited to:
Integration of development, security and technology operations. By integrating application security controls and requirements into software development and technology operations, new software and services can be delivered rapidly without compromising application security. When these practicesFootnote 1 are employed, the FRFI should ensure they are aligned with the SDLC framework and applicable technology and cyber policies and standards.
Acquired systems and software are assessed for risk. For software and systems that are acquired, the FRFI should ensure that security risk assessments are conducted and that systems implementation is subject to the same control requirements as required by the FRFI’s SDLC framework to obtain assurance on quality, performance and security controls.
Coding standards provide for secure and stable code. The FRFI should define and implement coding standards, which at a minimum should cover controls and practices surrounding:
Principle 8: The FRFI should establish and implement a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment.
Changes to technology assets are conducted in a controlled manner. The FRFI should ensure that changes to technology assets in the production environment are documented, assessed, tested, approved, implemented and verified in a controlled manner. The change and release management standard should outline the key controls required for all phases of the change management process. The standard should also define emergency change and control requirements to ensure that such changes are implemented in a controlled manner with adequate safeguards.
Segregation of duties controls against unauthorized changes. Segregation of duties is a key control used in protecting assets from unauthorized changes and should be exercised in the change management process to ensure that the same person cannot develop, execute and move code or releases between production and non-production technology environments.
Changes to technology assets are traceable. Controls should be implemented to ensure traceability and integrity of the change record as well as the asset being changed (e.g., code, releases) in each phase of the change management process.
Principle 9: The FRFI should implement patch management processes to ensure controlled and timely application of patches across its technology environment to address vulnerabilities and flaws.
Patches are applied in a timely and controlled manner. The patch management process should define clear roles and responsibilities for all stakeholders involved. Patching should follow existing FRFI change management processes, including emergency change processes. All patches should be tested before deployment to the production environment.
Principle 10: THE FRFI should effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts.
Incidents are managed to minimize impact on affected systems. The FRFI should define standards and implement processes for incident and problem management. Standards should have the overall objective of timely identification and escalation of incidents, restoration and/or recovery of an affected system, and investigation and resolution of incident root causes, and provide an appropriate governance structure. The FRFI’s incident management standards should complement its Enterprise Disaster Recovery Framework and contribute to its technology resilience (see Domain 5).
Incident management process is clear, responsive and risk-based. OSFI expects the FRFI to implement processes and procedures for managing technology incidents; elements may include:
Problems are investigated, resolved and learned from. The FRFI should develop problem management processes that provide for the detection, categorization, investigation and resolution of suspected cause(s) of incidents. Processes should include post-incident reviews, root cause and impact diagnostics, and support identification of trends or patterns in incidents. Problem management activities and findings should inform related control processes, including change and release management, and be used to continuously improve incident management processes and procedures.
Principle 11: The FRFI should develop service and capacity standards, and processes to monitor operational management of technology, ensuring business needs are met.
Technology service performance is measured, monitored and regularly reviewed for improvement. The FRFI should establish technology service management standards with defined performance indicators and service targets that can be used to measure and monitor the delivery of technology services. Processes should also provide for prompt remediation where targets are not being met. Services governed by these standards may include:
Technology infrastructure performance and capacity are sufficient. The FRFI should define performance and capacity requirements with thresholds on infrastructure utilization. These requirements should be continuously monitored against defined thresholds to ensure technology performance and capacity support current and future business needs.
Outcome: A secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets.
Confidentiality, integrity and availability of technology assets is maintained. The FRFI should proactively identify, defend, detect, respond and recover from external and insider cyber security threats, events and incidents to maintain the confidentiality, integrity and availability of its technology assets.
Principle 12: The FRFI should maintain a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors.
Security risks are identified. The FRFI should identify current or emerging cyber threats proactively using threat assessments to evaluate threats and assess security risk. This should include cyber security risk in new business initiatives, technology projects and change management processes. The FRFI should assess and understand both the inherent and residual security risks, after compensating controls are applied, to its critical technology assets. This includes implementing information and cyber security threat assessments, processes and tools to cover controls at different layers of defence.
Intelligence-led threat assessment and testing is conducted. The FRFI should adopt a risk-based approach to threat assessment and testing. The FRFI should set defined triggers, and minimum frequencies, for intelligence-led threat assessments to test cyber security processes and controls. In addition, the FRFI should use a cyber threat intelligence-led approach and regularly perform tests and exercises to identify vulnerabilities or control gaps in its cyber security programs (e.g., penetration testing and red teaming). The FRFI should also clearly define the scope and potential impacts of such testing and apply effective risk mitigation controls throughout the assessment to manage any associated potential inherent risks.
Vulnerabilities are identified, assessed and ranked. The FRFI should establish processes to conduct regular vulnerability assessments of its technology assets, including but not limited to network devices, systems and applications. Processes should articulate the frequency with which vulnerability scans and assessments are conducted. The FRFI should assess and rank relevant cyber vulnerabilities and threats according to the severity of the threat and risk exposure to technology assets using a standard risk measurement methodology. In doing so, the FRFI should consider the potential cumulative impact of vulnerabilities, irrespective of risk level, that could present a high-risk exposure when combined.
Data are identified, classified and protected. The FRFI should ensure that adequate controls are in place to identify, classify and protect structured and unstructured data, authorized and unauthorized data sources and environments, based on their confidentiality classification. The FRFI should implement processes to perform periodic discovery scans to identify changes and deviations from established standards and controls to protect data from unauthorized access.
Continuous situational awareness and information sharing are maintained. The FRFI should maintain continuous situational awareness of the external cyber threat landscape and its threat environment as it applies to its technology assets. This could include participating in industry threat intelligence and information sharing forums and subscribing to timely and reputable threat information sources which furnish information on areas such as: emerging threats, attack techniques, vulnerabilities and indicators of compromise. Cyber threat intelligence sharing should include relevant domestic and international authorities. The FRFI should ensure timely exchange of threat intelligence to facilitate prevention of cyber attacks, thereby contributing to its own cyber resilience and that of the broader financial sector.
Threat modelling and hunting are conducted. The FRFI should maintain cyber threat models to identify cyber security threats directly facing its technology assets and services. Threats should be assessed regularly to enhance the cyber security program, capabilities and controls required to mitigate current and emerging threats. The FRFI should use manual techniques to proactively identify and isolate threats which may not be detected by automated tools (e.g., threat hunting).
3.1.7 Cyber awareness is promoted and
tested.The FRFI should enable and encourage its employees, customers and third parties to report suspicious cyber activity, recognizing the role that each can play in preventing cyber attacks. The FRFI should create awareness of cyber attack vectors and techniques directly targeting employees, customers and relevant third parties. In addition, the FRFI should regularly test its employees to assess their awareness of cyber threats and the effectiveness of their reporting processes and tools.
Cyber risk profile is monitored and reported on. The FRFI should maintain a current and comprehensive cyber security risk profile to facilitate oversight and timely decision-making. The profile should draw on existing internal and external risk identification and assessment sources, processes, tools and capabilities. The FRFI should also ensure that processes and tools exist to measure, monitor and aggregate residual risks. Additionally, the FRFI should report on the cyber security risk profile using relevant dimensions (e.g., business unit, function and geographic region).
Principle 13: The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets.
Secure-by-Design practices are adopted. The FRFI should adopt Secure-by-Design practices in all aspects of technology and data management, innovation and operations to safeguard its technology assets. Security defence controls should aim to be preventive and the FRFI should regularly review security use cases with a view to greater reliance on preventive versus detective controls. The FRFI should also define and implement a risk-based and timely process to ensure detection controls are changed into prevention controls. The FRFI should apply security defence controls to all technology assets. Standard security controls should be applied end-to-end, starting at the design stage, to applications, micro-services, and application programming interfaces (APIs) developed by the FRFI.
Strong and secure cryptographic technologies are employed. The FRFI should implement and maintain strong cryptographic technologies to protect the authenticity, confidentiality and integrity of its technology assets. This includes controls for the protection of encryption keys from unauthorised access, usage and disclosure throughout the cryptographic key management life cycle. The FRFI should regularly assess its cryptography standard and technologies to ensure they remain effective against current and emerging threats.
Enhanced controls and functionality are applied to protect critical technology assets. The FRFI should employ enhanced controls and functionality to rapidly contain cyber security threats and to defend its critical technology assets and remain resilient against cyber attacks. The FRFI should also identify cyber security controls required to secure its critical technology assets that were identified per paragraph 2.2.2 of this Guideline. Application controls should be designed to contain and limit the impact of a cyber attack. Enhanced security standards, configuration baselines and security hardening requirements should be implemented, monitored and reviewed to ensure ongoing confidentiality, integrity and availability of critical technology assets throughout their life cycle.
Cyber security controls are layered. The FRFI should implement and maintain multiple layers of cyber security controls and defend against cyber security threats at every stage of the attack life cycle (e.g., from reconnaissance and initial access to executing on objectives). The FRFI should also ensure resilience against current and emerging cyber threats by maintaining defence controls and tools, and ensuring continuous operational effectiveness of controls by minimizing false positives.
Data protection and loss prevention security controls are implemented. Starting with clear information classification of its data, the FRFI should design and implement controls for the protection of its data throughout its life cycle. Specifically, the FRFI should:
Security vulnerabilities are remediated. To ensure security vulnerabilities are well managed, The FRFI should:
Identity and Access Management controls are implemented. The FRFI should implement risk-based identity and access controls, including Multi-Factor Authentication (MFA)Footnote 2 and privileged access management. At a minimum, consideration should be given to:
Security configuration baselines are enforced; deviations are remediated. The FRFI should implement approved, risk-based security configuration baselines for technology assets and security defence tools, including those provided by third parties. Where possible, security configuration baselines for different defence layers should disable settings and access by default. Additionally, the FRFI should:
Application scanning and testing capabilities are employed. Static and/or dynamic scanning and testing capabilities should be used to ensure new, and/or changes to existing, systems and applications are assessed for vulnerabilities prior to release into the production environment. Security controls should also be implemented to maintain security when development and operations practices are combined through a continuous and automated development pipeline (see paragraph 2.4.3).
Additional security controls are applied for external-facing services. For external-facing application services and network infrastructure, the FRFI should implement additional layers of security controls to protect these services from cyber attacks such as volumetric, low/slow network and application business logic attacks. For cyber security services delivering and protecting critical online services, the FRFI should regularly test controls, runbooks and playbooks.
Cyber security defence controls maintained for hosts, endpoints and mobile devices. The FRFI should maintain multiple layers of cyber security defence controls for hosts, endpoints and mobile devices. In particular, the FRFI should:
Networks are protected. The FRFI should protect all of its networks, including external-facing services, from threats by minimizing its attack surface. The FRFI should define authorized logical network zones and apply controls to segregate and limit, or block access and traffic to and from network zones. OSFI expects the FRFI to maintain intrusion prevention, monitoring and alerting tools on its network perimeter.
Physical access controls and processes are applied. The FRFI should define and implement physical access management controls and processes to protect network infrastructure and other technology assets from unauthorized access and environmental hazards. Physical areas may include office premises, data centres, network equipment rooms, data backup/storage sites, servers and workstations. Some sound practices include:
Principle 14: The FRFI designs, implements and maintains continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations.
Continuous, centralized security logging to support investigations. The FRFI should ensure continuous security logging for all technology assets and different layers of defence tools. Central tools for aggregating, correlating and managing security event logs by risk should enable timely log access during a cyber event investigation. For any significant cyber threat or incident, the FRFI’s forensic investigation should not be limited or delayed by disaggregated, inaccessible or missing critical security event logs. For technology assets and services, the FRFI should implement minimum security log retention periods and maintain cyber security event logs to facilitate a thorough and unimpeded forensic investigation of cyber security events.
Malicious and unauthorized activity is detected. The FRFI should maintain security information and event management capabilities to ensure continuous detection and alerting of malicious and unauthorized user and system activity. Advanced behaviour-based detection and prevention should be used to detect user and entity behaviour anomalies, and emerging external and internal threats that may be difficult to detect using predefined security rules or policies. The latest threat intelligence and indicators of compromise should be used to continuously enhance FRFI monitoring tools. For high-risk use cases, the FRFI should inspect encrypted data in motion to enhance its continuous monitoring and detection capabilities.
Cyber security alerts are triaged. The FRFI should define roles and responsibilities to allow for the triage of high-risk cyber security alerts to rapidly contain and mitigate significant cyber threat events before they result in a material security incident or an operational disruption.
Principle 15: The FRFI should triage, respond to, contain, recover and learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.
3.4.1 Incident response capabilities are integrated and aligned. The Technology Operations domain sets out the foundational expectations for the FRFI’s incident and problem management capability. OSFI expects the FRFI to ensure the alignment and integration between its technology, cyber security, and crisis management and communication protocols. This should include capabilities to enable comprehensive and timely escalation and stakeholder coordination (internal and external) in response to a major cyber security event or incident.
Cyber incident taxonomy is defined. The FRFI should clearly define and implement a cyber incident taxonomy. This taxonomy should include specific cyber and information security incident classification, such as severity, category, type and root cause. It should be designed to support the FRFI in responding to, managing and reporting on cyber security incidents.
Cyber security incident management process and tools are maintained. OSFI expects the FRFI to maintain a cyber security incident management process and playbooks to enable timely and effective management of cyber security incidents. Such playbooks should involve internal and external FRFI roles when material activities are outsourced or involve third-party providers, including vendors, suppliers, managed services providers or CSPs.
Timely response, containment and recovery capabilities are established. The FRFI should establish a cyber incident response team with tools and capabilities available on a continuous basis to rapidly respond, contain and recover from cyber security events and incidents that could materially impact the FRFI’s technology assets, customers and other stakeholders. Where such security services are outsourced to a third party, the FRFI should clearly define timely notification and escalation thresholds to management.
Forensic investigations and root cause analysis are conducted, as necessary. The FRFI should conduct an expert forensic investigation for incidents where there is potential for material exposure to its technology assets. For high-severity incidents, the FRFI should conduct a detailed post-incident assessment of direct and indirect impacts (financial and non-financial), including a root cause analysis to identify remediation actions, address the root cause and respond to lessons learned. The root cause analysis should assess threats, weaknesses and vulnerabilities in its people, processes, technology and data.
Testing and simulation to continuously improve response. Further to expectations in section 2.7 of the Technology Operations domain, the FRFI should conduct periodic exercises and testing of its incident management process, playbooks, and other response tools (e.g., coordination and communication) to maintain and validate their effectiveness.
Outcome: Reliable and secure technology and cyber operations from third-party providers.
This domain should be read in conjunction with principles articulated in Guideline B-10, which advances OSFI’s general expectations for the sound management of outsourcing and third-party risks, including that FRFIs retain ultimate accountability for outsourced activities.Footnote 3 Accordingly, in addition to expectations articulated in Guideline B-10, the FRFI should consider additional controls to manage technology and cyber risks at all third-party providers (TPPs) including, but not limited to, CSPs and managed service providers.
Principle 16: The FRFI should ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit.
Clear responsibilities in TPP arrangements. While the FRFI retains ultimate accountability for outsourced activities, the FRFI should clarify its responsibilities, and those of TPPs, in managing technology and cyber risks. As such, a formal agreement between the TPP and the FRFI should be defined, accepted by all parties and implemented at the time of onboarding to limit ambiguity regarding responsibilities for technology and cyber controls.
TPPs to comply with the FRFI’s standards. The FRFI should establish mechanisms to ensure that TPPs comply with its technology and cyber standards as developed in accordance with the Technology Operations and Cyber Security domains of this Guideline. For example:
Cloud-specific requirements are established. The FRFI should develop cloud-specific requirements to ensure that cloud adoption occurs in a structured and measured way that optimizes interoperability while operating within the FRFI’s stated risk appetite.These requirements should augment existing FRFI controls and standards, including but not limited to areas such as:
These requirements should be accompanied by robust cloud governance to provide proper oversight and monitoring of compliance with risk management practices at the FRFI. Cloud-specific requirements should guide decision-making and help ensure alignment of solutions to the FRFI’s broader technology strategy.
Cloud portability is considered at design and implementation stage. In addition to planning appropriate exit strategies, the FRFI should also consider portability (i.e., the FRFI has the ability to move applications and data from one CSP to another) as part of the design and implementation process in cloud adoption.
Outcome: Technology services are delivered, as expected, through disruption.
This domain focuses on the FRFI’s disaster recovery capabilities, which support the FRFI’s ability to deliver technology services through operational disruption. This domain is complemented by related expectations set out in Domains 2-4 that contribute to technology resilience, including Technology Architecture, Incident and Problem Management and Cyber Security.
Principle 17: The FRFI should establish and maintain an Enterprise Disaster Recovery Framework (EDRF) to support its ability to deliver technology services through disruption and operate within its risk tolerance.
Disaster recovery framework established. OSFI expects the FRFI to develop, implement and maintain an EDRF that sets out the FRFI’s approach to recovering technological services during a disruption. The FRFI should align the EDRF with its business continuity management program. At a minimum, the EDRF should establish:
Key dependencies are managed. OSFI expects the FRFI to manage key dependencies required to support the EDRF, including:
Principle 18: The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption.
Disaster recovery scenarios are tested. To promote learning, continuous improvement and technology resilience, OSFI expects the FRFI to validate and report on its disaster recovery strategies and plans regularly against severe but plausible scenarios. These scenarios should be forward-looking and incorporate, where appropriate:
The FRFI’s disaster recovery scenarios should test:
These practices are commonly referred to as DevSecOps.
Return to footnote 1
MFA uses independent authentication factors which generally include something that the user: a)
knows, such as a password or a PIN; b)
has (possesses), such as a cryptographic identification device or token; and, c)
is, such as biometrics or behaviour.
Return to footnote 2
OSFI Guideline B-10 is in the process of being updated and its scope will be expanded to capture other third-party provider arrangements beyond outsourcing.
Return to footnote 3