Nigeria Financial Services. IT Standards Blueprint. Version 1.2

Transcription

1 Nigeria Financial Services IT Standards Blueprint Versin 1.2 May 2013

2 PREAMBLE This IT Standards Blueprint dcument presents the framewrk fr the adpted Infrmatin Technlgy (IT) Standards and Gvernance fr the Nigerian Financial Services Industry. This dcument als cntains the adpted Standards by the IT Standards Cuncil. Fr each defined standard, the dcumentatin includes the bjective and intentin, descriptin, minimum acceptable maturity level, derivable benefits, requirements fr cmpliance, and cnsequences fr deviatins. Als, cntained in this blueprint is the IT Standards Gvernance Mdel and Prcesses, which details the binding framewrk f prcesses and prcedures that will guide the intrductin f new standards, review r mdificatin f existing nes, and cmplete withdrawal f bslete r irrelevant standards, thereby maintaining relevance and ensuring cntinuity by bth CBN and ther stakehlders. This dcument is the prperty f the Central bank f Nigeria and its usage is restricted t members f the Shared Services Unit, the IT Standards Cuncil, Nigerian Financial Services Industry and authrized accredited third party agents r cnsultants as CBN deems fit. Fr questins and clarificatins, please cntact the IT Standards Cuncil thrugh the fllwing: Deputy Gvernr Operatins Central Bank f Nigeria Central Business District Abuja Attn: Chidi Umean Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 2

3 Table f Cntents PREAMBLE... 2 TABLE OF FIGURES... 4 ABBREVIATIONS INTRODUCTION BACKGROUND OBJECTIVES AND PURPOSE OF DOCUMENT DEFINITION OF STANDARD OVERVIEW AND SUMMARY IT STANDARDS FOR THE NIGERIAN FINANCIAL SERVICES INDUSTRY TARGET MATURITY LEVELS DATA CENTRE MATURITY EXPECTED IMPACTS AND BENEFITS IT STANDARDS BLUEPRINT STRATEGIC IT ALIGNMENT IT GOVERNANCE ARCHITECTURE AND INFORMATION MANAGEMENT SOLUTIONS DELIVERY SERVICE MANAGEMENT AND OPERATIONS INFORMATION & TECHNOLOGY SECURITY WORKFORCE & RESOURCE MANAGEMENT RE-PRIORITISED INDUSTRY IT STANDARDS RE-PRIORITISED IT STANDARDS IT STANDARDS ADOPTION ROADMAP IT STANDARDS GOVERNANCE AND INTERACTION MODEL GUIDING PRINCIPLES AND POLICIES IT STANDARDS GOVERNANCE MODEL AND PROCESSES GOVERNANCE STRUCTURE: IT STANDARDS COUNCIL GOVERNANCE STRUCTURE: COMPLIANCE MANAGEMENT COMMITTEE GOVERNANCE STRUCTURE: STANDARDS REVIEW COMMITTEE IT STANDARDS COMPLIANCE FRAMEWORK STAKEHOLDERS INTERACTION/ COMMUNICATION FRAMEWORK FREQUENTLY ASKED QUESTIONS (FAQ) Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 3

4 Table f Figures Figure 1 - IT Standards Priritizatin Figure 2 - IT Standards Implementatin Radmap Figure 3 - Recmmended Adptin Timeline Figure 4- IT Standards Gvernance Structure Figure 5 - IT Standards Cuncil Organizatin Structure Figure 6 - Cmpliance Management Cmmittee Organizatin Structure.. 68 Figure 7 - Standards Review Cmmittee Gvernance Structure Figure 8 - IT Standards Cmpliance Framewrk Figure 9 - Define/ Change Sub-framewrk Figure 10 - Mnitr Cmpliance/ Measure Maturity Sub-framewrk Figure 11 Dcumentatin/ Management Reprting Sub-framewrk Figure 12 - Enfrce Cmpliance Sub-framewrk Figure 13 - IT Standards Stakehlders' Interactin Framewrk Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 4

5 Abbreviatins ITCMM ITIL COBIT ISACA XBRL TOGAF CMMI SPICE IT Capability and Maturity Mdel IT Infrastructure Library Cntrl Objectives fr Infrmatin and Technlgy Infrmatin Systems Audit and Cntrl Assciatin extensible Business Reprting Language The Open Grup Architecture Framewrk Capability Maturity Mdel Integratin Sftware Prcess Imprvement and Capability Determinatin SCAMPI Standard CMMI Appraisal Methd fr Prcess Imprvement PMI PMBOK Prject Management Institute Prject Management Bdy f Knwledge PRINCE2 Prjects IN Cntrlled Envirnments versin 2 TIA OHSAS BCI PCI DSS SFIA Telecmmunicatins Industry Assciatin Occupatinal Health & Safety Advisry Services Business Cntinuity Institute Payment Card Industry Data Security Standard Skills Framewrk fr the Infrmatin Age Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 5

6 1 INTRODUCTION 1.1 Backgrund Glbally, Infrmatin Technlgy has fundamentally transfrmed the business architecture f Banks resulting in the evlutin f new business architectures and appraches t custmer service, enterprise management and regulatry cmpliance. IT Spend in the Nigerian Financial Services industry, as a prprtin f verall perating expenses is high and increasing. Hwever, cmmensurate value is nt realized frm these investments due t: Cmplex, duplicate, nn-standard and cstly prcesses Nn-standard systems and infrastructure Inefficiency f electrnic infrmatin exchange Data integrity issues Industry leverage f IT significantly falls shrt f glbal best practices, and is limiting banking perating efficiency, cst effectiveness, regulatry infrmatin and risk management practices. T address this gap and prvide guidelines fr applicatin and utilisatin f Infrmatin Technlgy, Industry IT Standards were defined t articulate and prvide a pint f reference fr the utilisatin f IT. The IT Standards prvide expected industry practices in respect f: - Enterprise IT Architecture - Prcess architecture - Systems integratin/ Interperability - Netwrk/ Cmmunicatins - Data Centre Infrastructure Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 6

7 Adptin and cmpliance t the defined standards will imprve IT leverage and significantly enhance perating efficiency and cst effectiveness f Banks. The impact f the IT Standards in Bank peratins will include imprvements in: Prcessing Uptime and availability Service quality Enterprise Cntrl and Management Risk Management and Assurance Regulatry reprting Business Cntinuity 1.2 Objectives and Purpse f Dcument This dcument presents standards fr Infrmatin Technlgy and Gvernance fr the Nigerian Financial Services Industry. Fr each defined standard, the dcumentatin includes the fllwing: Objective and intentin Descriptin f the standards Benefits Requirements fr cmpliance 1.3 Definitin f Standard Fr the purpses f this dcument, a standard is an established, measurable and achievable set f criteria agreed by general cnsent t be a basis f cmparisn. 1.4 Overview and Summary IT Standards fr the Nigerian Financial Services Industry IT standards fr Nigeria s Financial Services Industry is fcused n 7 key technlgy capabilities areas which are required fr wrld class IT peratins as fllws: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 7

8 1. Strategic IT Alignment Translatin f business visin and strategies int multi-year IT investments and perating plans as well as impacts f Infrmatin Technlgy n the Enterprise s perfrmance measurement. 2. IT Gvernance Framewrk fr initiatin, endrsement, spnsrship, apprval and evaluatin f IT decisins. 3. Architecture & Infrmatin Management Guidance fr the creatin and executin f the strategic IT architecture framewrk. 4. Slutins Delivery Framewrk fr the develpment f sftware applicatin slutins and their subsequent transitin int the prductin envirnment. 5. Service Management & Operatins 6. Infrmatin & Technlgy Security 7. Wrkfrce & Resurce Management Planning, delivery and measurement f dayt-day peratinal service. Security and prtectin f enterprise infrmatin and related assets. Management f IT skills, knwledge and financial resurces. The Financial Services Industry IT standards are derived frm glbally defined and accepted standards as fllws: Reference Strategic IT Alignment IT Infrastructure Library (ITIL) Cntrl Objectives Infrmatin related Technlgies (COBIT) fr and IT Gvernance COBIT ISO Architecture & Infrmatin Interfaces ISO 8583 ISO Reprting extensible Business Reprting Language (XBRL) Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 8

9 Management Enterprise Architecture The Open Grup Architecture Framewrk (TOGAF) Slutins Delivery Applicatins Develpment Capability Maturity Mdel Integratin (CMMI) ISO Prject Management Prject Management Bdy Knwledge (PMBOK) f PRjects IN Cntrlled Envirnments versin 2 (PRINCE2) Service Management & Operatins Service Management ITIL ISO Data Center Tier Standards TIA 942 Health, Safety, Envirnment (HSE) Business Cntinuity Infrmatin & Technlgy Security OHSAS Business Cntinuity Institute Gd Practice Guidelines (BCI GPG) Payment Card Industry Data Security Standard (PCI DSS) BS25999 / ISO ISO 27001/27002 Wrkfrce & Resurce Management Skills Framewrk fr the Infrmatin Age (SFIA) Target Maturity Levels 1 Frmerly BS which was retired n September 1, 2012 and replaced by ISO Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 9

10 Maturity levels indicate the rbustness f frmal articulatin f plicies and the extent f assimilatin and adptin int rganizatinal practices. The definitin f maturity levels is derived frm cmmn acceptable IT Standard mdels Level Descriptin Characteristics f level 0 Nn-existent N articulatin f plicies and recgnisable prcesses are lacking 1 Ad-hc Prcesses are nt standardised but adhc appraches are applied incidentally n an individual r case-by-case basis The verall apprach t IT management and gvernance is disrganized 2 Repeatable Prcesses have evlved t the extent that similar appraches are adpted by different individuals underging the same task There is n frmal training r cmmunicatin f standard prcedures, and respnsibility is left t the individual. There is a high degree f reliance n the knwledge f individuals 3 Defined Prcesses are prperly defined and dcumented, and cmmunicated thrugh frmal training Prcesses are integrated int rganizatinal practices via frmal apprved plicy Autmatin and tls are used in a limited and fragmented way 4 Managed and Measurable Measurable quality gals are established and management mnitrs and measures cmpliance with prcedures and takes actin where prcesses appear nt t be wrking effectively Prcesses are under cnstant imprvement and prvide gd practice 5 Optimised Prcesses are refined t the level f gd practice, based n cntinuus Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 10

11 imprvement Quality management & cntinuus imprvement activities are embedded in prcess management IT is leveraged in an integrated way t autmate the wrkflw, prviding tls t imprve quality and effectiveness The minimum target maturity level fr IT Standards fr the financial services industry is Level 3 in respect f standards that align t the maturity mdel Level 3 maturity requires that IT standards are Defined Dcumented Integrated int rganizatinal practices via plicy and prcedures Cmmunicated thrugh training, and that Autmatin and tls are used in a limited and fragmented way Data Centre Maturity The TIA 942 and Uptime Institute standards are the reference standards fr data centre infrastructure and envirnment. Data Center standards prvide guidance fr data centres including primary data centres hsting live prductin infrastructure as well as backup data centres / disaster recvery lcatins. The fllwing tier levels are adapted frm the TIA 942 and Uptime Institute Tier Standards: Tier Descriptin Characteristics f Tier 1 2 Basic Data Centre Site Infrastructure Redundant Site Infrastructure Capacity Cmpnents Numerus single pints f failure in all aspects f design Generally unable t sustain mre than a 10 minute pwer utage Sme redundancy in pwer and cling systems Generatr backup Able t sustain 24 hur pwer utage Minimal thught t site selectin Vapur barrier Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 11

12 Frmal data rm separate frm ther areas 3 Cncurrently Maintainable Site Infrastructure Tw utility paths (active and passive) Redundant pwer and cling systems Redundant service prviders Able t sustain 72-hur pwer utage Careful site selectin planning One-hur fire rating Allws fr cncurrent maintenance 4 Fault Tlerant Site Infrastructure Tw independent utility paths Independently dual-pwered cling systems Able t sustain 96 hur pwer utage Stringent site selectin criteria Minimum tw-hur fire rating 24/7 nsite maintenance staff Target tier is Tier 3: Cncurrently Maintainable Site Infrastructure and supprts % availability. 1.5 Expected Impacts and Benefits Implementatin f these standards is expected t prvide the fllwing benefits: Increased up-time / availability f Banks leading t increased cst savings Establishment f a reference pint fr bjective assessment f the IT functin leading t imprved IT perfrmance measurement Imprved data integrity and electrnic infrmatin exchange Increased efficiency and prductivity f staff due t interperability f IT systems Business Cntinuity / Recvery and reduced risk f prlnged dwntimes Imprved data security assurance t custmers leading t increased custmer cnfidence Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 12

13 2 IT Standards Blueprint This sectin utlines the blueprint f the IT Standards and includes the fllwing in respect f each standard: Purpse f the standard(s) Minimum Acceptable Maturity Level Descriptin f the Standard(s) Ratinale fr Selectin Benefits Requirements fr cmpliance Scpe Deviatin frm Use References Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 13

14 2.1 Strategic IT Alignment Purpse Recmmended Standards Minimum Acceptable Maturity Level Ratinale fr Selectin The Strategic IT Alignment standards prvide a framewrk fr ensuring that business visin and strategies are translated int IT investments and perating plans. Cntrl Objectives fr Infrmatin and Technlgy (COBIT): best practices fr IT management, created by ISACA and the IT Gvernance Institute IT Infrastructure Library (ITIL): glbally adpted framewrk fr IT Operatins and Service Management Level 3 COBIT The Plan and Organize (PO) Dmain f the COBIT Framewrk invlves the definitin f an IT Strategic Plan and fcuses n incrprating IT and business management in the translatin f business requirements int service fferings, as well as the develpment f strategies t deliver these services in a transparent and effective manner ITIL The Service Strategy Vlume f ITIL fcuses n the alignment f business and IT s that each brings ut the best in the ther. It ensures that every stage f the service lifecycle stays fcused n the business case and relates t all the cmpanin prcess elements that fllw COBIT and ITIL are als reference standards fr IT Gvernance and Service Management respectively Benefits Standardized framewrk fr ensuring that IT plans and investments are directly driven by the business gals. Ensures that IT services are designed t satisfy the business requirements and service levels Objective basis fr measuring the value IT brings t the business Requirements fr cmpliance Adptin f COBIT Plan and Organize (PO) Dmain and the ITIL Service Strategy vlume maturity level 3. Strategic IT Alignment plicies and prcesses must be: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 14

15 Defined Dcumented Integrated int rganizatinal practices via plicy and prcedures Cmmunicated thrugh training Prcesses must be autmated t sme degree The prcess fr certificatin f cmpliance t COBIT and ITIL is as fllws: Scpe and Applicatin Exemptin References Implement the IT Strategy requirements f the COBIT /ITIL framewrks t maturity level 3 and submit t a cmpliance audit The Strategic IT Alignment standard shall be applicable t all IT infrastructure and Service prviders t the financial service industry including in huse Bank functins and external IT infrastructure and service prviders Nt applicable. ITIL: COBIT: Key Elements f the Standards Please see sectins 2.2 and 2.5. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 15

16 2.2 IT Gvernance Purpse The IT Gvernance standards articulates a framewrk t guide hw IT decisins are made, spnsred, enfrced and evaluated, bth within and acrss the rganizatin structure Standards Cntrl Objectives fr Infrmatin and Technlgy (COBIT): a set f best practices fr IT management, created by ISACA and the IT Gvernance Institute. ISO 38500: created by the Internatinal Standards Organizatin; fcuses n the crprate gvernance f infrmatin technlgy Maturity Level Ratinale fr Selectin COBIT: Level 3 ISO COBIT The COBIT Framewrk prvides management and business prcess wners with an IT gvernance mdel that helps in delivering value frm IT as well as managing the risks assciated with IT. ISO The ISO/IEC standard prvides a framewrk fr effective gvernance f IT t assist thse at the highest level f rganizatins t understand and fulfill their legal, regulatry, and ethical bligatins in respect f their rganizatins use f IT. The standard specifies the minimum requirements fr the IT Gvernance f an rganizatin. COBIT and ISO are cmplementary implementatin f COBIT cntrls satisfy sme f the requirements fr an ISO certificatin Benefits Imprved accuntability fr IT investments Higher level f business justificatin fr IT prjects Increased effectiveness f the IT functin leading t reductin in csts Imprved risk management with better visibility f risk pririties Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 16

17 Requirements fr cmpliance COBIT: In rder t be cmpliant t the industry standard, the COBIT framewrk must be implemented t maturity level 3. This means that the standard must be: Defined Dcumented Integrated int rganizatinal practices via plicy and prcedures Cmmunicated thrugh training Prcesses must be autmated t sme degree ISO 38500: The ISO certificatin requirements must be met fr an rganizatin t be cmpliant t this standard The prcesses fr an rganizatin t becme cmpliant t COBIT and ISO are as fllws: COBIT Implement the requirements f the COBIT framewrk t maturity level 3 and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. ISO Implement the requirements f the ISO standard Submit t a cmpliance audit by a certified assessr. Prvide the results t the IT Standards Gvernance Cuncil as prf f cmpliance Scpe This standard is applicable t all the Banks and managed service prviders in the industry. All rganizatins in the industry shall implement the COBIT framewrk t maturity level three. ISO certificatin shall nt be mandatry but shuld be cnsidered desirable Exemptin An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 17

18 Key Elements f the Standards COBIT: COBIT defines IT activities in a generic prcess mdel within fur dmains: - Plan and Organize - Acquire and Implement, - Deliver and Supprt, - Mnitr and Evaluate. The dmains map t the IT functin s traditinal respnsibility areas f plan, build, run and mnitr Plan and Organize (PO) Dmain Acquire and Implement (AI) Dmain Deliver and Supprt (DS) Dmain: Mnitr and Evaluate (ME) Dmain: Strategy and tactics, and cncerns the identificatin f the way IT cntributes t the achievement f business bjectives. The realizatin f the strategic IT visin needs t be planned, cmmunicated and managed fr different perspectives. Prper rganizatin as well as technlgical infrastructure shuld be defined and implemented. T realize the IT strategy, IT slutins must be identified, develped r acquired, implemented and integrated int business prcesses. Changes in and maintenance f existing systems ensure that slutins cntinue t meet business bjectives. Actual delivery f IT services, including IT service delivery, IT security and cntinuity, service supprt fr users, and management f data and peratinal facilities. All IT prcesses shall be regularly assessed ver time fr quality and cmpliance with cntrl requirements. Plicies and prcesses fr perfrmance management, mnitring f internal cntrl, regulatry cmpliance and gvernance shall be established Ref: ISO ISO is a high level principle based advisry standard. In additin t prviding brad guidance n the rle f a gverning bdy, ISO Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 18

19 encurages rganizatins t use apprpriate standards t underpin gvernance f IT. The standard prescribes that directrs shuld gvern IT thrugh three main tasks: Evaluate the current and future use f IT Direct preparatin and implementatin f plans and plicies t ensure that use f IT meets business bjectives Mnitr cnfrmance t plicies, and perfrmance against plans. There are six principles fr gd crprate gvernance f IT. The principles are applicable t rganizatins and express preferred behaviur t guide decisin making. The statement f each principle refers t what shuld happen but des nt prescribe hw, when r by whm the principles shuld be implemented. Principle 1- Respnsibility: Individuals and grups acrss the rganizatin understand and accept their respnsibilities in respect f supply f and demand fr IT. Respnsibility is matched by authrity t perfrm. Principle 2 - Strategy: Crprate business strategy reflects current and future capabilities f IT. IT strategy and plans are clearly articulated and are aligned t and supprtive f current and nging needs f the rganizatin s Business strategy. Principle 3 - Acquisitin: IT acquisitins are made fr valid reasns, n the basis f apprpriate and nging analysis with clear and transparent decisin making. There is apprpriate cnsideratin f shrt and lng term benefits, pprtunities, csts and risks f IT spend. Principle 4 - Perfrmance: IT is fit fr purpse in supprting the rganizatin, prviding services levels and service quality apprpriate fr current and future business requirements Principle 5 - Cnfrmance: IT cmplies with all mandatry legislatin and regulatins. Plicies and practices are clearly defined, implemented and enfrced. Principle 6 Human Behaviur: IT plicies, practices and decisins demnstrate respect fr human behaviur including the current and evlving needs f all peple in the prcess. Ref: Architecture and Infrmatin Management Interfaces Purpse The purpse is t ensure the standardizatin f transactin interfaces between entities in the Financial Services Industry t enhance interperability Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 19

20 and imprve efficiency Standards Maturity Level Ratinale fr Selectin ISO 8583 als knwn as Financial Transactin Card Originated Messages Interchange Message Specificatins, prvides a standard framewrk fr systems that exchange electrnic transactins made using payment cards ISO aims t enable cmmunicatin interperability between financial institutins, their market infrastructures and their end-user cmmunities by defining and prmting a single ISO standardizatin apprach t be used by all financial standards initiatives. Nt Applicable ISO 8583 Standard framewrk fr systems that exchange electrnic transactins that use payment cards, specifies a cmmn interface by which financial transactin card riginated messages may be interchanged between acquirers and card issuers. Mst cre Banking applicatin vendrs prvide native ISO 8583 interfaces and ISO 8583 is widely adpted within the Nigerian Financial Services industry fr card based payment transactins. ISO Als knwn as the Universal financial industry (UNIFI) message scheme prvides a cmmn platfrm fr the develpment f messages in a standardized XML syntax and is the de-fact standard adpted in Eurpe t facilitate the Single Eur Payments Area (SEPA). ISO 8583 is restricted t card based payments while the scpe f applicatin f ISO is brader. Benefits Imprved interperability and efficiency f transactin prcessing Cst savings due t interperability Facilitates straight thrugh prcessing Requirements fr cmpliance Transactin interfaces that meet specified industry standards. Prcess fr cmpliance Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 20

21 Implement the requirements f the interface standards and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil Scpe This standard is applicable t all banks, managed service prviders and payments systems slutin prviders in the industry. All rganizatins that prvide payments services are required t prvide ISO 8583 cmpliant interfaces. Cmpliance with ISO requirements is currently nt mandatry. This is hwever subject t review by the IT Standards Gvernance Cuncil. Exemptin An payment service prvider may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil Key Elements f the Standards ISO 8583: Cmmn interface by which financial transactin card riginated messages may be interchanged between acquirers and card issuers. It specifies message structure, frmat and cntent, data elements and values fr data elements. The specificatin has 3 parts: Part 1: Messages, data elements and cde values Part 2: Applicatin and registratin prcedures fr Institutin Identificatin Cdes Part 3: Maintenance prcedures fr messages, data elements and cde values An ISO 8583 message is made f: Message type indicatr (MTI) One r mre bitmaps, indicating which data elements are present Data elements, the fields f the message Ref: ISO Cmmunicatin interperability between financial institutins, market Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 21

22 infrastructure and end-users in respect f financial transactins including: High value payments FX & Mney Markets Cmmercial payments Cards Securities Trade The ISO statement is rganized as fllws: Part 1: Overall Methdlgy and Frmat Specificatins fr Inputs and Outputs t/frm the ISO Repsitry Part 2: Rles and respnsibilities f the registratin bdies Part 3: ISO Mdeling Part 4: ISO XML design rules Part 5: ISO Reverse engineering Part 6: ISO Message Transprt Characteristics Ref: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 22

23 2.3.2 Reprting Purpse Standardizatin f business and financial reprting acrss the industry Standards extensible Business Reprting Language (XBRL) Maturity Level N/A Descriptin f Standards Ratinale fr Selectin XBRL XBRL is an XML-based pen standard fr exchanging business infrmatin which allws infrmatin mdeling and the expressin f semantic meaning cmmnly required in business reprting XBRL prvides a methd t prepare, publish, exchange, search and analyze financial statements acrss all sftware frmats and technlgies. Benefits Includes an IFRS taxnmy which facilitates the electrnic use and exchange f financial data in line with IFRS directives. Imprved reprting efficiency as data frm varius systems and databases can assembled quickly, cheaply and efficiently Imprved usability f financial statement infrmatin Simplificatin f bth internal and external reprting prcesses Requirements fr cmpliance In rder t be cmpliant, an rganizatin must implement XBRL prcesses and tls and utilize it fr reprting purpses. Prcess fr cmpliance Implement XBRL and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil Scpe Exemptin This standard is applicable t all banks and external (managed) service prviders fr the financial services industry. An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 23

24 Key Elements f the Standards XBRL cnsists f an XBRL instance, cntaining primarily the business facts being reprted, and a cllectin f taxnmies (called a Discverable Taxnmy Set (DTS)), which define metadata abut these facts, such as what the facts mean and hw they relate t ne anther XBRL Instance: The XBRL instance begins with the <xbrl> rt element and hlds the fllwing infrmatin: Business Facts which are divided int tw categries Items are facts hlding a single value. They are represented by a single XML element with the value as its cntent. Tuples are facts hlding multiple values. They are represented by a single XML element cntaining nested Items r Tuples. In the design f XBRL, all Item facts must be assigned a cntext. Cntexts define the entity (e.g. cmpany r individual) t which the fact applies, the perid f time the fact is relevant, and an ptinal scenari. Scenaris prvide further cntextual infrmatin abut the facts, such as whether the business values reprted are actual, prjected, r budgeted. Units define the units used by numeric r fractinal facts within the dcument, such as USD, shares. XBRL allws mre cmplex units t be defined if necessary. Ftntes use XLink t assciate ne r mre facts with sme cntent. Taxnmy: An XBRL Taxnmy is a cllectin f taxnmy schemas and linkbases. A taxnmy schema is an XML schema file. Linkbases are XML dcuments which fllw the XLink specificatin. The schema must ultimately extend the XBRL instance schema dcument and typically extend ther published XBRL schemas. Ref: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 24

25 2.3.3 Enterprise Architecture Purpse Enterprise architecture standard prvides a framewrk t guide the selectin, deplyment, peratin, prtectin and refreshment f technlgies in supprt f business gals Standard The Open Grup Architecture Framewrk (TOGAF) Maturity Level Descriptin f Standards Level 3 TOGAF is an architecture framewrk that prvides a set f tls which can be used fr develping a brad range f different architectures Ratinale fr Selectin Benefits TOGAF is a framewrk that includes a cmprehensive set f supprting tls fr the design, planning, implementatin, and gvernance f an enterprise architecture. It is the mst widely adpted pen framewrk fr Enterprise Architecture in Nigeria and in mst parts f the wrld The TOGAF Architecture Develpment Methd (ADM) prvides a detailed methdlgy that can enable the develpment an enterprise architecture which will meet the business and infrmatin technlgy needs f an rganizatin. The ADM is freely available fr use by any rganizatin t develp an enterprise architecture fr use within that rganizatin alne, and is custmizable t meet the rganizatin's needs. Requirements fr cmpliance In rder t be cmpliant t the industry standard the TOGAF framewrk must be implemented t maturity level 3. This means that the standard must be: Defined Dcumented Integrated int rganizatinal practices via plicy and prcedures Cmmunicated thrugh training Prcesses must be autmated t sme degree Prcess fr cmpliance Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 25

26 Implement the requirements f the TOGAF framewrk t maturity level 3 and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil Scpe Exemptin This standard shall be applicable t all banks and external (managed) service prviders in the financial service industry. An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil References TOGAF: Key Elements f the Standards The TOGAF Architecture Develpment Methd (ADM) is a framewrk fr develping an enterprise architecture cvering Business Architecture, Applicatin Architecture, Infrmatin Architecture and Technlgy Architecture. The TOGAF ADM cnsists f a number f phases that cycle thrugh all the architecture views as fllws: Preliminary Framewrk and Principles: fcuses n establishing the business cntext, defining framewrk t be used, defining architecture principles and establishing architecture gvernance Architecture Visin: btain management cmmitment twards prject(s), validate the business principles, gals and drivers, identify stakehlder cncerns and bjectives, define business requirements and cnstraints and btain frmal apprval t prceed. Business Architecture: describe the current baseline business architecture, develp a target business architecture and t analyze the gaps between the baseline and target business architectures. Infrmatin Systems Architecture: develp target architectures fr data and applicatin dmains. The scpe f business prcess supprted in this phase includes thse that are supprted by IT and the interfaces f IT related prcesses t nn IT related prcesses. It cnsists f Data Architecture: which aims t define the types and surces f data needed t supprt the business in a way that can be understd by stakehlders Applicatins Architecture: which aims t define the kinds f applicatin systems necessary t prcess the data and supprt the business. Technlgy Architecture: develp a technlgy architecture that supprts the business, applicatin and data architectures Opprtunities and Slutins: evaluate and select implementatin Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 26

27 ptins, identify the strategic parameters fr change and the prjects t be undertaken and generate an implementatin and migratin strategy and plans. Migratin Planning: plan varius implementatin prjects by pririty. The priritized list f prjects will frm the basis fr the detailed implementatin and migratin plans. Implementatin Gvernance: arrangements fr cnfrmance with the defined architecture by the implementatin prjects and ther prjects. Architecture Change Management: cntinual mnitring f changes in technlgy and business t determine whether t initiate a new architecture cycle. Ref: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 27

28 2.4 Slutins Delivery Applicatins Develpment Purpse Standards Maturity Level Ratinale fr Selectin The purpse f these standards is t ensure that there is a structured prcess fr the develpment f bespke applicatins r the custmizatin f cmmercial applicatins as required by the rganizatin. Capability Maturity Mdel Integratin (CMMI) is a prcess imprvement methd that prvides a set f best practices fr Systems and Sftware develpment ISO is a framewrk fr prcess assessment which defines prcesses and a capability dimensin fr measuring the prcesses CMMI: Level 3 CMMI ISO 15504: N/A The CMMI is a Framewrk fr prjects r rganizatins that prvides cmmn, integrated, and imprving prcesses fr Systems and Sftware develpment. It prvides a set f best practices that address prductivity, perfrmance, csts, and stakehlder satisfactin and can be utilized t drive significant value realizatin. ISO ISO als knwn as Sftware Prcess Imprvement and Capability Determinatin (SPICE) is a framewrk fr the assessment f prcesses that defines capability levels fr measuring the prcesses. ISO prvides bjective measures that enables assessrs give an verall determinatin f the rganizatin's capabilities fr delivering sftware ISO was derived in part frm the CMMI. Benefits Better ROI indices fr applicatin develpment initiatives Imprved quality f end deliverables with reduced defects ver prduct life cycle Reductin in prject csts with reduced schedules Imprved end-user satisfactin Requirements fr CMMI: In rder t be cmpliant t the industry standard the CMMI mdel must be implemented t maturity level 3 as defined Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 28

29 cmpliance ISO 15504: the ISO certificatin requirements must be met fr an rganizatin t be cmpliant t this standard Prcess fr cmpliance CMMI: Implement the requirements f the CMMI Mdel t maturity level 3 and submit t a SCAMPI cmpliance audit by a QSA If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. ISO 15504: Implement the requirements f the ISO standard Submit t a cmpliance audit by a certified assessr. Prvide the results t the IT Standards Gvernance Cuncil as prf f cmpliance Scpe This standard is applicable t all the banks and external (managed) service prviders in financial services industry. All rganizatins in the industry are required t implement CMMI t at least a maturity level three. ISO certificatin is nt mandatry Exemptin An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards CMMI: CMMI fr applicatins develpment cnsists f 22 prcess areas. A prcess area is a cluster f related practices in an area that, when implemented cllectively, satisfy a set f gals cnsidered imprtant fr making significant imprvement in that area. These prcess areas are aligned t maturity levels and determine the level f maturity f an rganizatin s develpment prcesses. The prcess areas are as fllws: Maturity Level 2 Managed: CM - Cnfiguratin Management: establish and maintain the integrity f wrk prducts using cnfiguratin identificatin, cnfiguratin cntrl, cnfiguratin status accunting, and cnfiguratin audits. MA - Measurement and Analysis: develp and sustain a measurement capability used t supprt management infrmatin needs. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 29

30 PMC - Prject Mnitring and Cntrl: prvide an understanding f the prject s prgress s that apprpriate crrective actins can be taken when the prject s perfrmance deviates significantly frm the plan PP - Prject Planning: establish and maintain plans that define prject activities. PPQA - Prcess and Prduct Quality Assurance: prvide staff and management with bjective insight int prcesses and assciated wrk prducts. REQM - Requirements Management: manage requirements f the prject s prducts and prduct cmpnents and t ensure alignment between thse requirements and the prject s plans and wrk prducts. SAM - Supplier Agreement Management: manage the acquisitin f prducts and services frm suppliers Maturity Level 3 - Defined DAR - Decisin Analysis and Reslutin: analyze pssible decisins using a frmal evaluatin prcess that evaluates identified alternatives against established criteria. IPM - Integrated Prject Management: establish and manage the prject and the invlvement f relevant stakehlders accrding t an integrated and defined prcess that is tailred frm the rganizatin s set f standard prcesses. OPD - Organizatinal Prcess Definitin: establish and maintain a usable set f rganizatinal prcess assets, wrk envirnment standards, and rules and guidelines fr teams. OPF - Organizatinal Prcess Fcus: plan, implement, and deply rganizatinal prcess imprvements based n a thrugh understanding f current strengths and weaknesses f the rganizatin s prcesses and prcess assets. OT - Organizatinal Training: develp skills and knwledge f peple s they can perfrm their rles effectively and efficiently. PI - Prduct Integratin: assemble the prduct frm the prduct cmpnents, ensure that the prduct, as integrated, behaves prperly (i.e., pssesses the required functinality and quality attributes), and deliver the prduct RD - Requirements Develpment: elicit, analyze, and establish custmer, prduct, and prduct cmpnent requirements. RSKM - Risk Management: identify ptential prblems befre they ccur s that risk handling activities can be planned and invked as needed acrss the life f the prduct r prject t mitigate adverse impacts n achieving bjectives. TS - Technical Slutin: select, design, develp, and implement slutins t requirements. Slutins, designs, and implementatins encmpass prducts, prduct cmpnents, and prduct related Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 30

31 lifecycle prcesses either singly r in cmbinatin as apprpriate. VAL Validatin: demnstrate that a prduct r prduct cmpnent fulfills its intended use when placed in its intended envirnment. VER Verificatin: ensure that selected wrk prducts meet their specified requirements. Maturity Level 4 - Quantitatively Managed OPP - Organizatinal Prcess Perfrmance: establish and maintain a quantitative understanding f the perfrmance f selected prcesses in the rganizatin s set f standard prcesses in supprt f achieving quality and prcess perfrmance bjectives, and t prvide prcess perfrmance data, baselines, and mdels t quantitatively manage the rganizatin s prjects. QPM - Quantitative Prject Management: quantitatively manage the prject t achieve the prject s established quality and prcess perfrmance bjectives. Maturity Level 5 - Optimizing CAR - Causal Analysis and Reslutin: identify causes f selected utcmes and take actin t imprve prcess perfrmance. OPM - Organizatinal Perfrmance Management: practively manage the rganizatin s perfrmance t meet its business bjectives. Ref: ISO 15504: ISO cntains a reference mdel which defines prcesses and a capability dimensin fr measuring the prcesses. The prcess dimensin defines prcesses divided int the six prcess categries f: Prcesses Custmer supplier Engineering Supprting Management Organizatin Capability levels include 5 - Optimizing Prcess 4 - Predictable Prcess 3 - Established Prcess 2 - Managed Prcess Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 31

32 1 - Perfrmed Prcess 0 - Incmplete Prcess Ref: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 32

33 2.4.2 Prject Management Purpse Standards The Prject Management standards prvide a framewrk t guide prject planning, rganizing, and resurce management t bring abut the successful cmpletin f prject gals and bjectives. Prject Management Bdy f Knwledge (PMBOK): a glbal standard in Prject Management, develped by the Prject Management Institute (PMI) which prvides a set f standard terminlgy and guidelines fr prject management PRjects IN Cntrlled Envirnments (PRINCE2): a prcess-driven prject management methd, which is develped by the Office f Gvernment Cmmerce (OGC), UK, and is largely influenced by the IT industry Maturity Level Ratinale fr Selectin Level 3 PMBOK The PMBOK is a glbal standard which establishes best practices and principles fr prject management. PRINCE2 Prince2 is a widely adpted structured methd fr effective Prject Management, which cvers the management, cntrl and rganizatin f a prject Bth standards are independent Prject Management standards widely adpted bth glbally and lcally. Benefits Imprved efficiency and effectiveness in prject delivery Better risk management Imprved quality f prject end results Reduced cst t deliver Further cst savings due t increased n-schedule prject delivery Requirements fr cmpliance In rder t be cmpliant t the industry standard, the PMBOK r PRINCE2 framewrk must be implemented t maturity level 3. This means that the standard must be: Defined Dcumented Integrated int rganizatinal practices via plicy Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 33

34 and prcedures Cmmunicated thrugh training Prcesses must be autmated t sme degree Prcess fr cmpliance Implement the requirements f the PMBOK/PRINCE2 Standards t maturity level 3 and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. Scpe Exemptin The Prject Management standard shall be applicable t all the banks and external (managed) service prviders in the industry. Organizatins are required t implement either the PMBOK r PRINCE2 standards t at least a maturity level three An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards PMBOK: The PMBOK divides a prject int 5 prcess grups that fllw the Deming cycle: Initiating Planning Executing Mnitring & Cntrlling Clsing Simultaneusly the prject is als divided int nine knwledge areas as fllws: Prject Integratin Management Prject Scpe Management Prject Time Management Prject Cst Management Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 34

35 Prject Quality Management Prject Human Resurce Management Prject Cmmunicatins Management Prject Risk Management Prject Prcurement Management Ref: PRINCE2: PRINCE2 defines 40 separate activities and rganized int seven prcesses: Starting up a prject: In this prcess the prject team is appinted and a prject brief is prepared. In additin the verall apprach t be taken is decided and the next stage f the prject is planned. Initiating a prject: This prcess builds n the wrk f the startup prcess, and the prject brief is augmented t frm a Business case. The apprach taken t ensure quality n the prject is agreed tgether with the verall apprach t cntrlling the prject itself. Prject files are als created as well as an verall plan fr the prject. Directing a prject: This prcess dictates hw the prject bard shuld cntrl the verall prject. Directing a Prject als dictates hw the prject bard shuld authrize a stage plan, including any stage plan that replaces an existing stage plan due t slippage r ther unfreseen circumstances. Als cvered is the way in which the bard can give ad hc directin t a prject and the way in which a prject shuld be clsed dwn. Cntrlling a stage: PRINCE2 suggests that prjects shuld be brken dwn int stages and these sub-prcesses dictate hw each individual stage shuld be cntrlled. Mst fundamentally this includes the way in which wrk packages are authrized and received. It als specifies the way in which prgress shuld be mnitred and hw the highlights f the prgress shuld be reprted t the prject bard. A means fr capturing and assessing prject issues is suggested tgether with the way in which crrective actin shuld be taken. It als lays dwn the methd by which certain prject issues shuld be escalated t the prject bard. Managing stage bundaries: This dictates what shuld be dne twards the end f a stage. The next stage shuld be planned and the verall prject plan, risk lg and business case amended as necessary. The prcess als cvers what shuld be dne fr a stage that has gne utside its tlerance levels. Finally, the prcess dictates hw the end f the stage shuld be reprted. Managing prduct delivery: This prcess has the purpse f cntrlling the link between the Prject Manager and the Team Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 35

36 Manager(s) by placing frmal requirements n accepting, executing and delivering prject wrk. Clsing a prject: This cvers the things that shuld be dne at the end f a prject. The prject shuld be frmally decmmissined and resurces freed up fr allcatin t ther activities, fllw n actins shuld be identified and the prject itself be frmally evaluated. Ref: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 36

37 2.5 Service Management and Operatins Service Management Purpse Standards Maturity Level Ratinale fr Selectin The purpse f these standards is t ensure that there is a structured framewrk fr managing the develpment and delivery f IT Services. IT Infrastructure Library (ITIL) is a framewrk f best practice fr IT service management. It cmprises a series f bks and infrmatin which prvide guidance n the quality prvisin f IT services. ISO is an rganizatinal standard that aims t prmte the adptin f an integrated set f management prcesses fr the effective delivery f services t the business and its custmers ITIL: Level 3 ITIL ISO 20000: N/A ITIL is a framewrk f best practices fr IT service management which gives detailed descriptins f IT prcesses and prvides cmprehensive checklists, tasks and prcedures that any IT rganizatin can tailr t its needs. ISO This is an internatinal standard that defines the requirements fr an rganizatin t deliver services f an acceptable quality t its custmers. It aims t prmte the adptin f an integrated set f management prcesses fr the effective delivery f services t the business and its custmers ITIL and ISO are cmplementary t ne anther implementing ITIL prcesses satisfy sme f the requirements twards attaining an ISO certificatin Benefits Imprved quality and cnsistency f IT Services Imprved alignment f IT Services with crprate strategies and all aspects f existing technlgies, prcesses and services leading t reduced Ttal Cst f Ownership (TCO) Structured service design prcesses enabling IT t fcus n delivering cst effective services while ensuring that specific business requirements are met Prvides a basis fr independent assessment f IT Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 37

38 Service Management prcesses Requirements fr cmpliance ITIL: in rder t be cmpliant t the industry standard the ITIL framewrk must be implemented t maturity level 3. This means that the standard must be: Defined Dcumented Integrated int rganizatinal practices via plicy and prcedures Cmmunicated thrugh training Prcesses must be autmated t sme degree ISO 20000: the ISO requirements must be met and certificatin btained fr an rganizatin t be cmpliant t this standard. Prcess fr cmpliance ITIL: Implement the requirements f the ITIL Standard t maturity level 3 and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. ISO Implement the requirements f the ISO standard Request an assessment frm a Registered Certificatin Bdy (RCB). Once the requirements f ISO/IEC have been satisfied, the RCB will issue a certificate f cnfrmance Prvide the certificate t the IT Standards Gvernance Cuncil as prf f cmpliance Scpe This standard is applicable t all the banks and external (managed) service prviders in the financial services industry. All rganizatins in the industry are required t implement the ITIL framewrk t at least a maturity level three. ISO certificatin is mandatry fr managed service prviders. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 38

39 Exemptin An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards ITIL: ITIL versin 3 2 (Current ITIL versin is ITIL 2011which is an update t versin 3 with n significant changes in cntext) cnsists f five cre publicatins cvering each stage f the service lifecycle frm the initial definitin and analysis f business requirements in Service Strategy and Service Design, thrugh migratin int the live envirnment within Service Transitin, t live peratin and imprvement in Service Operatin and Cntinual Service Imprvement Service Strategy: this publicatin sits at the cre f the ITIL V3 lifecycle. It sets ut guidance t all IT service prviders and their custmers, t help them perate and thrive in the lng term by building a clear service strategy Service Design: The purpse f this is the design f apprpriate and innvative IT services, including their architectures, prcesses, plicies and dcumentatin, t meet current and future agreed business requirements. Service Transitin: this aims t deliver services that are required by the business int peratinal use. Service Transitin delivers this by receiving the Service Design Package frm the Service Design stage and delivering int the Operatinal stage every necessary element required fr nging peratin and supprt f that service. Service Operatin: the purpse f this is t deliver agreed levels f service t users and custmers, and t manage the applicatins, technlgy and infrastructure that supprt delivery f the services. It is nly during this stage f the lifecycle that services actually deliver value t the business, and it is the respnsibility f Service Operatin staff t ensure that this value is delivered. Cntinual Service Imprvement: this is cncerned with maintaining value fr custmers thrugh the cntinual evaluatin and imprvement f the quality f services and the verall maturity f the ITSM service lifecycle and underlying prcesses. CSI cmbines principles, practices and methds frm quality management, Change Management and capability imprvement, wrking t imprve each 2 Current ITIL versin is ITIL 2011 is an update t the versin 3 r ITIL 2007 Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 39

40 stage in the service lifecycle, as well as the current services, prcesses, and related activities and technlgy. ITIL: ISO The ISO standard specifies a set f inter-related management prcesses and is derived frm ITIL. The Standard prmtes an integrated service management mdel cmprising f the fllwing: Requirements fr a Management System Management Respnsibility Dcumentatin requirements Cmpetence, awareness and training Planning and Implementing Service Management Plan service management Implement service management and prvide the services Mnitring, measuring and review Cntinual Imprvement Planning and Implementing new r changed services Service Delivery Prcesses Service Level Management Service Reprting Service Cntinuity and Availability Management Budgeting and Accunting fr IT Services Capacity Management Infrmatin Security Management Relatinship Prcesses General requirements Business Relatinship Management Supplier Management Reslutin Prcesses Backgrund Incident Management Prblem Management Cntrl Prcesses Cnfiguratin Management Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 40

41 Change Management Release Prcesses Release Management ISO 20000: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 41

42 2.5.2 Data Centre Purpse Standard fr infrastructure and cmmunicatin fr data prcessing sites fr the financial services industry Standards The Uptime Institute Tier Standard is a glbal standard based n availability specificatins fr data centres. TIA 942 Standard fr Data Centres is a telecmmunicatins standard that specifies requirements fr telecmmunicatins infrastructure and facilities f data centres. Acceptable Tier Ratinale fr Selectin Tier 3 Data Centre Tier Standard The Uptime Institute site infrastructure tier standard is a widely adpted glbal standard that was develped as an bjective basis fr cmparing the functinality, capacity and expected availability f a data centre site TIA 942 Standard The Telecmmunicatins Infrastructure Standard fr Data Centres specifies the minimum requirements fr telecmmunicatins infrastructure and facilities f data centres and cmputer rms including single tenant enterprise data centres and multi-tenant Internet hsting data centres. The standard is primarily a telecm infrastructure standard, but als addresses data centre facility requirements as fllws: Site space and layut Benefits Cabling infrastructure Tiered reliability Envirnmental cnsideratins Implementing the data centre standards t the agreed tier will imprve the uptime and availability f banks data centres which will in turn imprve service availability and reduce the risk f dwn time. Requirements fr cmpliance In rder t be fund cmpliant, an rganizatin s data centre must meet the requirements fr Tier 3 data centres as defined. Prcess fr cmpliance Upgrade data centre t meet Tier 3 requirements. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 42

43 Ntify the IT Standards Gvernance Cuncil f cmpliance audit readiness Submit t cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil Scpe Exemptin Key Elements f the Standards Uptime Institute Tier Standard: This standard shall be applicable t all banks and external (managed) service prviders in the financial services industry. All data centre infrastructure and facilities fr the Nigerian FS industry shall satisfy the requirement fr tier three. An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. The tier standard establishes fur distinctive definitins f data centre site infrastructure Tier classificatins (Tier I, Tier II, Tier III, Tier IV), and the perfrmance cnfirmatin tests fr determining cmpliance t the definitins. The Tier classificatins describe the site-level infrastructure tplgy required t sustain data centre peratins, nt the characteristics f individual systems r subsystems. The Tiers are as fllws: Tier I - Basic Site Infrastructure: A Tier I basic data centre has nn-redundant capacity cmpnents and a single, nn-redundant distributin path serving the cmputer equipment. Tier II - Redundant Site Infrastructure Capacity Cmpnents: A Tier II data centre has redundant capacity cmpnents and a single, nnredundant distributin path serving the cmputer equipment. Tier III - Cncurrently Maintainable Site Infrastructure: A Cncurrently Maintainable data centre has redundant capacity cmpnents and multiple independent distributin paths (pwer, cling, netwrk, etc.) serving the cmputer equipment. Only ne distributin path is required t serve the cmputer equipment at any time. (ne active, ne alternate) Each and every capacity cmpnent and element in the distributin paths can be remved frm service in a planned basis withut impacting any f the cmputer equipment. Tier III engine generatr systems are cnsidered the primary pwer surce fr the data centre. The lcal pwer utility is an ecnmic alternative. Disruptins t the utility pwer are Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 43

44 nt cnsidered a failure but rather an expected peratinal cnditin fr which the site must be prepared. The engine generatr system alng with its pwer paths and ther supprting elements (emergency pwer ff, islatin valves, start system fr engine generatrs, cntrl system fr mechanical plants etc.) must be cncurrently maintainable Annual maintenance shutdwns are nt required and unplanned failures are reduced t 1.6 hurs n an annual basis (99.98% availability) All IT equipment is dual pwered as defined by the Institute s Fault Tlerant Pwer Cmpliance Specificatin, Versin 2.0 and installed prperly t be cmpatible with the tplgy f the site s architecture. Transfer devices, such as pint-f-use switches, must be incrprated fr cmputer equipment that des nt meet this specificatin Tier IV - Fault Tlerant Site Infrastructure: A Fault Tlerant data centre has multiple, independent, physically islated systems that prvide redundant capacity cmpnents and multiple, independent, diverse, active distributin paths simultaneusly serving the cmputer equipment. The redundant capacity cmpnents and diverse distributin paths shall be cnfigured such that N capacity is prviding pwer and cling t the cmputer equipment after any infrastructure failure. All IT equipment is dual pwered as defined by the Institute s Fault Tlerant Pwer Cmpliance Specificatin, Versin 2.0 and installed prperly t be cmpatible with the tplgy f the site s architecture. Transfer devices, such as pint-f-use switches, must be incrprated fr cmputer equipment that des nt meet this specificatin. Cmplementary systems and distributin paths must be physically islated frm ne anther (cmpartmentalized) t prevent any single event frm simultaneusly impacting either systems r distributin paths. Cntinuus Cling must be prvided. The Uptime Institute Tier Standard: TIA 942 Intended fr use by data centre designers early in the building develpment prcess, and cvers the fllwing: Site space and layut: Prper space allcatin fr a data centre starts with ensuring that space can be easily reallcated t changing envirnments and grwth. Designers must strike a balance between acceptable initial deplyment csts and anticipated space required in the future. The data centre shuld be designed with plenty f flexible "white space," empty space that can accmmdate future racks r cabinets. The space surrunding the data centre Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 44

45 must als be cnsidered fr future grwth and planned fr easy annexatin. The standard als recmmends specific functinal areas, which helps t define equipment placement based n the standard hierarchical star tplgy design fr regular cmmercial spaces. The TIA-942 specifies that a data centre shuld include the fllwing key functinal areas: One r Mre Entrance Rms Main Distributin Area (MDA) One r Mre Hrizntal Distributin Areas (HDA) Equipment Distributin Area (EDA) Zne Distributin Area (ZDA) Backbne and Hrizntal Cabling Cabling infrastructure: the standard specifies a generic, permanent telecmmunicatins cabling system and prvides specificatins fr the fllwing recgnized cabling media: Standard single mde fiber 62.5 and 50μm multimde fiber Laser-ptimized 50μm multimde fiber 75-hm caxial cable (recmmended fr E-1, E-3, and T-3 circuits) 4-Pair Categry 6 UTP and ScTP cabling Fr hrizntal cabling, the TIA-942 standard recmmends installing the highest capacity media available t reduce the need fr re-cabling in the future. Tiered reliability: T prvide a means fr determining specific data centre needs, the TIA-942 standard includes infrmatin n data centre availability tiers. These tiers are based n the Uptime Institute. Envirnmental cnsideratins: Envirnmental cnsideratins within the TIA-942 include fire suppressin, humidity levels, perating temperatures, architectural, electrical and mechanical system specificatins. The requirement in respect f each envirnmental cnsideratin is defined based n levels f reliability. TIA 942 Standard fr Data Centres: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 45

46 2.5.3 Health, Safety and Envirnment Purpse Standard Structured framewrk fr ensuring a safe wrk envirnment BS OHSAS Minimum Acceptable Maturity Level Descriptin f Standards Nt Applicable BS OHSAS is a glbally recgnized framewrk fr Occupatinal Health and Safety Management Systems (OHSMS) Ratinale fr Selectin BS OHSAS BS OHSAS is ne f the mst recgnized framewrks fr ccupatinal health and safety management systems that allws an rganizatin t practively cntrl health and safety risks and imprve perfrmance. It prvides an assessment specificatin fr Occupatinal Health and Safety Management Systems. Benefits While this is nt an IT driven standard, ccupatinal safety is critical and is a key metric glbally used in the appraisal f service prviders acrss industries. Demnstratin t stakehlders f cmmitment t health and safety Ptential reductin in the number f accidents leading t a reductin in dwntime and assciated csts Requirements fr cmpliance Imprved management f health and safety risks An rganizatin must implement the necessary cntrls t meet the requirements f the OHSAS standard and be certified by accredited OHSAS auditrs. Prcess fr cmpliance Implement a Health and Safety Management System t meet the requirements f the OHSAS standard Submit t a cmpliance audit by OHSAS auditrs. Prvide a certificate f cmpliance t the IT Standards Gvernance Cuncil as prf f cmpliance Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 46

47 Scpe Exemptin This standard shall be applicable t all banks and external (managed) service prviders in the financial services industry. An rganizatin may seek exemptin frm cmpliance by frmal applicatin fr exemptin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards OHSAS 18001: Occupatinal Health & Safety (OH&S) Plicy: Creatin f an OH&S plicy Planning Hazard identificatin, Risk Assessment and Determining Cntrls Legal and Other Requirements: Prcedure fr describing hw legal infrmatin is identified and accessed. Objectives and Prgrams: Outlines the imprtance f a prcess t manage OH&S prgrams with bjectives & targets which are cnsistent with the plicy Implementatin and Operatin Resurces, Rles, Respnsibility, Accuntability and Authrity: Tp management needs t take ultimate respnsibility fr health and safety. This requirement defines relevant management, accuntability, structure, rles, respnsibilities, authrities and includes the appintment f an OH&S management representative Cmpetence, Training, and Awareness: Ensures that persns perfrming tasks are cmpetent and trained t d them Cmmunicatin, Participatin and Cnsultatin: Outlines required prcedures fr internal & external cmmunicatins. Dcumentatin: Occupatinal Health and Safety Management Systems (OHSMS) dcumentatin requirements in electrnic r paper frm Cntrl f Dcuments: Explains the requirement t cntrl dcuments s that current versins are distributed and available at pints f use and bslete versins are remved frm the system. Operatinal Cntrl: Identifies critical functins assciated with the identified hazards where cntrls are necessary. Emergency Preparedness and Respnse: Prcess required fr identifying & respnding t emergencies. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 47

48 Ref: Checking and Crrective Actin Perfrmance Measurement and Mnitring: Measures data fr actin and describes the plan t mnitr and measure OH&S perfrmance n a regular basis. Evaluatin f Cmpliance: Prcedure(s) required fr scheduled evaluatins f cmpliance. The rganizatin will need t keep recrds f these peridic evaluatins. Incident Investigatin, Nn-cnfrmances, Crrective & Preventive Actin: Prcedures fr investigating incidents and acting n health and safety nn-cnfrmances. Crrective and Preventive actins must be taken. Cntrl f Recrds: Recrds necessary t demnstrate cnfrmity t the requirements f the OHSMS must be cntrlled Internal Audit: Prcedure t cnduct the audits f the OHSMS at planned intervals t ensure that the system cmplies with planned arrangements. Management review: Tp Management must review the OHSMS at planned intervals t ensure that the system cntinues t be suitable, adequate and effective. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 48

49 2.5.4 Business Cntinuity Purpse Standard Minimum Acceptable Maturity Level Ratinale fr Selectin Framewrk t guide crisis management and ensure that critical services will always be available t custmers and ther stakehlders that must have access t thse services Business Cntinuity Institute (BCI) Gd Practice Guidelines (GPG): a management guide t implementing glbal best practice in Business Cntinuity Management BS 25999: a Business Cntinuity Management standard that applies Business Cntinuity Planning t enterprises. BS is in 2 parts; BS and BS which has been superseded by ISO22301 The ISO22301 will be adpted as a replacement t BS25999 during the next IT Standards review Nt Applicable BCI Gd Practice Guidelines The BCI GPG is a hlistic set f guidelines develped by the Business Cntinuity Institute which specifies six Prfessinal Practices that cver all six phases f a Business Cntinuity Management Lifecycle: Plicy and Prgramme Management Embedding BCM in the Organizatin s Culture Understanding the Organizatin Determining BCM Strategies Develping and Implementing a BCM Respnse Exercising, Maintenance and Review f BCM BS ( ISO22301) Guidance n activities and deliverables applicable in establishing a cntinuity management prcess, as well as prviding recmmended gd practice steps. It cnsists f 2 parts which details an auditable set f requirements A Cde f Practice which establishes prcesses, principles and terminlgy fr Business Cntinuity Management A Specificatin which details requirements fr implementing, perating and imprving a dcumented Business Cntinuity Management Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 49

50 System and describes requirements that can be bjectively and independently audited. The BCI GPG and the BS bth prvide guidelines fr Business Cntinuity Management Benefits Assurance f business resilience and the capability t effectively respnd t crisis situatins. Reduced expsure t risks by methdical risk identificatin Reduced dwntime Requirements fr cmpliance BCI Gd Practice Guidelines: In rder t be cmpliant t the industry standard the guidelines f the BCI GPG must be implemented within the rganizatin. BS ( ISO22301): In rder t be cmpliant, the rganizatin must implement a BCM System based n the requirements f Specificatin Sectin (Part 2) f the standard Prcess fr cmpliance BCI Gd Practice Guidelines Implement the requirements f the BCI GPG and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. BS ( ISO22301) Implement the cntrls specified in the specificatin sectin f the standard Request an assessment frm an accredited BS ( ISO22301 ) auditr Prvide the results t the IT Standards Gvernance Cuncil as prf f cmpliance Scpe This standard shall be applicable t all banks and external (managed) service prviders in the financial services industry. All rganizatins shall implement either the BCI GPG r the BS guidelines. BS (ISO22301 ) certificatin is mandatry fr external (managed) service prviders in the industry. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 50

51 Exemptin An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards BCI GPG: The Gd Practice Guidelines specifies six Prfessinal Practices which cver the six phases f BCM Lifecycle. These are gruped int 2 Management and 4 Technical Prfessinal Practices Management Prfessinal Practices Plicy and Prgramme Management: The BCM Plicy f an rganizatin prvides the framewrk arund which the BCM capability is designed and built. An effective BCM prgramme will invlve the participatin f varius managerial, peratinal, administrative and technical disciplines that need t be crdinated thrughut its life cycle Embedding BCM in the Organizatin s Culture: Develping a Business Cntinuity culture is vital t maintaining enthusiasm, readiness and effective respnse at all levels. It invlves Assessing BCM Awareness and Training Develping BCM within the Organizatin s Culture Mnitring Cultural Change Technical Prfessinal Practices Understanding the Organizatin: understanding f the urgency with which activities and prcesses need t be resumed if they are disrupted and invlves: Business Impact Analysis Risk Assessment Determining BCM Strategies: determining and selecting BCM Strategies t be used t maintain the rganizatin s business activities and prcesses thrugh an interruptin. It includes: Crprate Strategies Activity Level Strategy Resurce Level Cnslidatin Develping and Implementing a BCM Respnse: this aims t identify in advance, as far as pssible, the actins that are necessary and the resurces which are needed t enable the rganizatin t manage an interruptin whatever its cause. It Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 51

52 includes Ref: Incident Management Plan Business Cntinuity Plan Business Unit Plans Exercising, Maintenance and Review f BCM: A BCM capability cannt be cnsidered reliable until it has been exercised, maintained and audited BS BS establishes prcesses, principles and terminlgy fr Business Cntinuity Management. It cvers the fllwing key areas: The Business Cntinuity Management Plicy: Central t the implementatin f business cntinuity is having a clear, unambiguus and apprpriately resurced plicy BCM Prgramme Management: Prgramme management is at the heart f the entire BCM prcess and the standard defines an apprach Understanding the rganizatin: In rder t apply apprpriate business cntinuity strategies and tactics the rganizatin has t be fully understd, its critical activities, resurces, duties, bligatins, threats, risks and verall risk appetite. Determining BCM Strategies: Once the rganizatin is thrughly understd the verall business cntinuity strategies can be defined that are apprpriate. Develping and implementing a BCM respnse: The tactical means by which business cntinuity is delivered. These include incident management structures, incident management and business cntinuity plans. Exercising, maintenance, audit and self-assessment f the BCM culture: Withut testing the BCM respnse an rganizatin cannt be certain that they will meet their requirements. Exercise, maintenance and review prcesses will enable the business cntinuity capability t cntinue t meet the rganizatins gals. Embedding BCM int the rganizatins culture: Business cntinuity shuld nt exist in a vacuum but becme part f the way that the rganizatin is managed BS (ISO22301) Part 2 f the standard is predicated n the established Plan-D-Check-Act mdel f cntinuus imprvement and cvers the fllwing: Planning the Business Cntinuity Management System (PLAN): The first step is t plan the BCMS, establishing and embedding it Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 52

53 within the rganizatin. Ref: Implementing and Operating the BCMS (DO): This fcuses n the actual implementatin f the plans. This sectin includes a number f tpics in Part 1. Mnitring and Reviewing the BCMS (CHECK): T ensure that the BCMS is cntinually mnitred the Check stage cvers internal audit and management review f the BCMS. Maintaining and Imprving the BCMS (ACT): T ensure that the BCMS is bth maintained and imprved n an nging basis this sectin lks at preventative and crrective actin Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 53

54 2.6 Infrmatin & Technlgy Security Purpse Framewrk fr ensuring that critical infrmatin assets are prtected frm unauthrized access, use, disclsure, disruptin, mdificatin, perusal, inspectin, recrding r destructin. Standard Acceptable Maturity Level ISO 27001/27002 is a glbally recgnized infrmatin security management standard Payment Card Industry Data Security Standard (PCI DSS) is a glbal standard fr infrmatin security defined by the PCI Security Standards Cuncil which applies t all rganizatins that have cardhlder data traversing their netwrks Nt Applicable Ratinale fr Selectin ISO 27001/27002 ISO enables rganizatins establish and maintain an infrmatin security management system (ISMS). It fcuses n hw t implement, mnitr, maintain, and cntinually imprve the Infrmatin Security Management System ISO prvides established guidelines and general principles fr initiating, implementing, maintaining, and imprving infrmatin security management within an rganizatin. It cntains guidance n implementatin f individual security cntrls, which may be selected and applied as part f an ISMS PCI DSS This standard is applicable t rganizatins that stre, prcess and/r transmit credit and debit card data and aims t prevent card related fraud thrugh increased cntrls arund data. PCI DSS requirements are similar t sme f the ISO certificatin requirements. Benefits Increased custmer cnfidence thrugh assurance f higher level f data security Increased prtectin against financial lsses and remediatin csts that arise frm security breaches Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 54

55 Requirements fr cmpliance PCI DSS: In rder t be fund cmpliant, the rganizatin must implement the specified cntrls within the agreed timelines and be ascertained by a Qualified Security Assessr (QSA) t have met the requirements fr cmpliance. ISO 27001: An rganizatin must implement the necessary cntrls t meet the requirements f the standard and be certified by an accredited certificatin bdy as such. Prcess fr cmpliance PCI DSS Implement required cntrls Engage a QSA t cnduct a cmpliance audit Prvide the results t the IT Standards Gvernance Cuncil as prf f cmpliance ISO Implement the requirements f the ISO standard Submit an applicatin fr assessment t an accredited certificatin bdy t cnduct the cmpliance audit. This is in 2 stages: A review f the required dcumentatin A cmpliance audit f the cntrls f the ISMS Prvide the results t the IT Standards Gvernance Cuncil as prf f cmpliance Scpe This standard shall be applicable t all banks and external (managed) service prviders in the industry. PCI DSS cmpliance is mandatry fr all rganizatins that stre, prcess r transmit credit and debit card data. ISO certificatin is nt mandatry. Exemptin An rganizatin may seek exemptin frm cmpliance by frmal applicatin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 55

56 Key Elements f the Standards PCI DSS: The PCI DSS standard specifies twelve requirements fr cmpliance acrss six cntrl bjectives as fllws: Build and Maintain a Secure Netwrk Install and maintain a firewall cnfiguratin t prtect cardhlder data D nt use vendr-supplied defaults fr system passwrds and ther security parameters Prtect Cardhlder Data Prtect stred cardhlder data Encrypt transmissin f cardhlder data acrss pen, public netwrks Maintain a Vulnerability Management Prgram Use and regularly update anti-virus sftware n all systems cmmnly affected by malware Develp and maintain secure systems and applicatins Implement Strng Access Cntrl Measures Restrict access t cardhlder data by business need-t-knw Assign a unique ID t each persn with cmputer access Restrict physical access t cardhlder data Regularly Mnitr and Test Netwrks Track and mnitr all access t netwrk resurces and cardhlder data Regularly test security systems and prcesses Maintain an Infrmatin Security Plicy Maintain a plicy that addresses infrmatin security PCI DSS : ISO / ISO is based n the Plan-D-Check-Act mdel and defines a set f infrmatin security management requirements as fllws: Establish an ISMS Implement, perate, and maintain the ISMS Mnitr, measure, audit, and review the ISMS Cntinually imprve the ISMS Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 56

57 ISO cntains guidance n implementatin f individual security cntrls, which may be selected and applied as part f an ISMS. Cntrls are gruped int the fllwing categries: Risk Assessment and Treatment Security Plicy Organizatin f Infrmatin Security Asset Management Human Resurces Security Physical Security Access Cntrl Infrmatin Systems Acquisitin, Develpment, Maintenance Infrmatin Security Incident management Business Cntinuity Cmpliance ISO 27001: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 57

58 2.7 Wrkfrce & Resurce Management Purpse Framewrk fr defining ICT Skills required in an rganizatin. Standard Minimum Acceptable Maturity Level Descriptin f Standards Skills Framewrk fr the Infrmatin Age (SFIA) Nt Applicable The SFIA is a mdel widely adpted in the United Kingdm fr describing and managing cmpetencies fr ICT prfessinals Ratinale fr Selectin Benefits SFIA SFIA prvides a cmmn reference mdel fr the identificatin f the skills and cmpetencies required by ICT prfessinals and maps ut 101 identifiable skills, categrized int 6 main areas: Strategy and architecture Business change Slutins develpment and implementatin Service management Prcurement and management supprt Client interface The standard is freely available fr dwnlad and use Imprved deplyment f IT skills within the rganizatin Imprved alignment f skills t functinal rles resulting in effectiveness and greater staff retentin Requirements fr cmpliance Imprved skills develpment and career path planning In rder t be cmpliant t the industry standard the requirements f the SFIA framewrk must be implemented. Prcess fr cmpliance Implement the SFIA framewrk and submit t a cmpliance audit If all requirements are met, the rganizatin will be deemed t have cmplied by the IT Standards Gvernance Cuncil. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 58

59 Scpe Deviatin frm Use This standard shall be applicable t all banks and external (managed) service prviders in the financial services industry. An rganizatin may seek exemptin frm cmpliance by frmal applicatin fr exemptin supprted by clearly articulated business justificatin t the IT Standards Gvernance Cuncil. Key Elements f the Standards SFIA: The standard specifies skills categries divided int six main areas with sub categries as fllws: Strategy and planning: Infrmatin strategy Advice and guidance Business/IT strategy and planning Technical strategy and planning Business change Business change implementatin Business change management Relatinship management Slutins develpment and implementatin Systems develpment Human factrs Installatin and integratin Service management Service Strategy Service Design Service transitin Service Operatin Prcurement and management supprt Supply management Quality Management Resurce management Learning and develpment Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 59

60 Client interface Sales and marketing Client Supprt In additin, seven levels f respnsibility are als defined: Fllw: Basic capability t cmplete tasks under clse supervisin. Nt expected t use much initiative. Shuld be rganized, capable f learning and cntribute t wn develpment plan. Assist: Uses sme discretin and has a wider circle f interactin than level 1, especially in specialty. Wrks n a range f tasks, and practively manages persnal develpment. Apply: Cmplete wrk packages with milestne reviews nly. Escalates prblems under wn discretin. Wrks with suppliers and custmers. May have sme supervisry respnsibility. Perfrms a brad range f tasks, takes initiative, and schedules wn and thers wrk. Enable: Wrks under general directin in a framewrk. Influence at accunt level, wrks n a brad range f cmplex activities. Gd level f peratinal business skills. Ensure and advise: Brad directin, supervisry, bjective setting respnsibility. Influences rganizatin. Challenging and unpredictable wrk. Self-sufficient in business skills. Initiate and influence: Authrity fr an area f wrk. Sets rganizatinal bjectives. Influences plicy, significant part f rganizatin, and custmers and suppliers at a high level. Highly cmplex and strategic wrk. Initiates and leads technical and business change. Set strategy, inspire, and mbilize: Authrity includes setting plicy. Makes decisins critical t rganizatin, influences key suppliers and custmers at tp level. Leads n strategy. Full range f management and leadership skills. Ref : Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 60

61 3 Re-priritised Industry IT standards 3.1 Re-priritised IT Standards The IT standards are priritized based n Effrt (ease f implementatin f a standard is a functin f the effrts required t implement, the implementatin csts as well as the duratin and risks f implementatin) and Benefits (the impact f implementatin n the business and n the end user, the benefits derivable as well as the time it takes t begin deriving value frm the implementatin f the standard) Figure 1 - IT Standards Priritizatin The IT standards areas priritisatin is as fllws: Pririty 1 Standards: Service Management Interfaces IT Security Applicatin Reprting Pririty 2 Standards IT Gvernance Strategic IT Alignment Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 61

62 Prject Management Wrkfrce and Resurce Management Pririty 3 Standards Data Centre Business Cntinuity Management Enterprise Architecture Health, Safety and Envirnment Applicatin Develpment The standards shall be implemented using a cntinuum apprach such that initial implementatins wuld target the agreed maturity level 3 and subsequently imprved t include certificatins and higher maturity levels. Pririty 1: ITIL ISO ISO 8583 ISO PCI-DSS ISO XBRL XBRL Cntinuus Imprvement Pririty 2: Pririty 3: PMBOK / PRINCE2 Level 3 COBIT ISO SFIA PMBOK / PRINCE2 Level 5 SFIA Cntinuus Imprvement Data Centre Tier 3 Data Centre Tier 4 BCI Guidelines ISO22301 BS25999 TOGAF Level 3 TOGAF Level 5 OHSAS OHSAS Cntinuus Imprvement CMMI ISO Figure 2 - IT Standards Implementatin Radmap 3.2 IT Standards Adptin Radmap A five year radmap fr banks t adpt the fllwing standards at maturity level 3 is therefre prpsed based n the pririties. It is recmmended that cmpliance audits begin at the end f the prescribed perids. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 62

63 Categry Infrmatin & Technlgy Security Architecture & Infrmatin Management Standards PCI-DSS * ISO / XBRL ISO 8583 TOGAF Strategic IT Alignment & Gvernance COBIT Slutins Delivery PMBOK / PRINCE2 Service Management & Operatins CMMI ITIL SFIA DC Tier Standards (Target Maturity: Tier 3) BCI GPGs / BS25999 / ISO OHSAS Figure 3 - Recmmended Adptin Timeline Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 63

64 4 IT Standards Gvernance and Interactin Mdel The purpse f the IT Standards Gvernance Mdel is t establish a framewrk which will facilitate the adptin f IT standards as well as management f the standards lifecycle within the Nigerian Banking Industry. 4.1 Guiding Principles and Plicies The fllwing guiding plicies have been defined fr the administratin f IT standards in the Nigerian Financial Services Industry: 1. Standards must be internatinally acknwledged standards r a lcal variant 2. All Financial Services rganizatins and external IT service prviders / peratrs shall be required t cmply with IT standards 3. Gvernance Cuncil t versee IT standards adptin, implementatin and management within the industry 4. Gvernance Cuncil reprts peridically t the Bankers Cmmittee n status and cmpliance with apprved standards 5. Membership f the IT Standards Gvernance Cuncil includes nminees f Depsit Mney Banks and the Central Bank f Nigeria 6. Independent assessment f Banks internal prcesses and test cntrls will be the basis f determining cmpliance 7. Peridic audits will be carried ut annually n Banks prcesses and cntrls t ensure cmpliance. 4.2 IT Standards Gvernance Mdel and Prcesses In rder t embed the adpted IT Standards within the Nigerian Financial Services industry, it is expedient t develp a binding framewrk f prcesses and prcedures that will guide the intrductin f new standards, review r mdificatin f existing nes, and cmplete withdrawal f bslete r irrelevant standards, thereby maintaining relevance and ensuring cntinuity by bth CBN and ther stakehlders. Establishing and dcumenting pre-defined rles and respnsibility matrices extend the clarity f gvernance mdel rganizatin Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 64

65 charts by prviding mre precisin in the allcatin f decisins t and by authrized persnnel This sectin details the gvernance mdel and prcesses fr the Financial Services Industry and IT Standards Cuncil. The IT Standards Gvernance Cuncil will be supprted by (2) wrking cmmittees namely: Cmpliance Management Cmmittee Standards Review Cmmittee The IT Standards Gvernance Cuncil is depicted in the picture belw: Figure 4- IT Standards Gvernance Structure Rles and Respnsibilities Designatin IT Standards Gvernance Cuncil Rles and Respnsibilities Prmte Industry IT Standards. Set strategic directin with respect t Standards within the Industry. Determine the IT Standards t be implemented acrss the Industry including maturity levels Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 65

66 Designatin Rles and Respnsibilities Review and update f Industry IT Standards Cmmunicate changes required fr cmpliance t banks when there is a refresh n an already existing standard Cmpliance Management Cmmittee Ntify banks f planned audit assessment / cmmunicate audit schedules Engage qualified auditrs t carry ut cmpliance audits Cnduct the audit and assess cntrls, systems and prcesses Set and agree frequency f audits with industry stakehlders Reprt defaulters t the Cuncil fr apprpriate decisins Standards Review Cmmittee Maturity assessment f the banking Industry t determine current status/rating f banks with respect t defined IT industry standards. Review glbal trends in IT standards within the FS industry and identify gaps with lcal industry Recmmend updates, changes t IT standards t the Cuncil Gvernance Structure: IT Standards Cuncil The IT Standards Cuncil will be respnsible fr prviding gvernance and driving adptin f IT Standards acrss the industry. The key functins f the Cuncil are t: Prmte IT Standards fr Nigeria s Financial Services Industry. Set strategic directin n IT Standards fr the Industry. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 66

67 Determine the IT Standards t be implemented acrss the Industry. Review and update f Industry IT Standards. Mnitr cmpliance t IT Standards and determine actin(s)/ respnse fr deviatins. Cre Skills & Knwledge Selected Banks will nminate suitably experienced representatives t sit n the Cuncil (and the subcmmittees) n their behalf fr a term f 2 years which can be renewed. The experienced Bank nminee must meet the fllwing requirements t be nminated t the Cuncil: Minimum f ten (10) years experience in Infrmatin Technlgy (IT), Gd knwledge f the Financial Services industry, IT Standards and cmpliance implicatins. Bankers Cmmittee Sub-Cmmittee n Shared Services IT Standards Cuncil Figure 5 - IT Standards Cuncil Organizatin Structure Gvernance Structure: Cmpliance Management Cmmittee The Cmpliance Management Cmmittee f the IT Standards Cuncil will be respnsible fr: Facilitating assessment f cntrls, systems and prcesses at Banks / industry Service Prviders Managing nn-cmpliance t IT standards implementatin The functins f the Cmpliance Management Cmmittee are t: Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 67

68 Cnduct cmpliance mnitring Set and agree frequency f audits with industry stakehlders Engage qualified assessrs t carry ut cmpliance audits Ntify Banks f planned audit assessment / cmmunicate audit schedules Cnduct the audit and assess cntrls, systems and prcesses Cmpare maturity f standards adptin with apprved maturity level Dcument audit reprts Gently persuade defaulting institutins t cmply with the identified IT Standard(s) Escalate and reprt defaulters t the Bankers Cmmittee Subcmmittee n Shared Services Ensure penalties are fulfilled by defaulters IT Standards Cuncil Cmpliance Management Cmmittee Standards Review Cmmittee Figure 6 - Cmpliance Management Cmmittee Organizatin Structure Gvernance Structure: Standards Review Cmmittee The Standards Review Cmmittee will be respnsible fr managing the prcess f transiting frm an lder versin f a standard t the latest ne. The functins f the Standards Review Cmmittee are t: Identify and dcument differences between new and previus versin f IT standards Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 68

69 Trigger the Cmpliance Management Prcess t validate cmpliance status f Banks Define relevant standards Change standards as deemed apprpriate Select and mdify IT standards and maturity levels I T St andar ds Cunci l Cmpl i ance Management Cmmi t t ee St andar ds Revi ew Cmmi t t ee Figure 7 - Standards Review Cmmittee Gvernance Structure Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 69

70 4.3 IT Standards Cmpliance Framewrk The fllwing high-level prcess framewrk has been defined t guide the activities f the Cuncil: Figure 8 - IT Standards Cmpliance Framewrk The fllwing sub-sectins details the prcesses invlved in the framewrk defined abve and respnsible parties required fr executin. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 70

71 Define/ Change Standard: Figure 9 - Define/ Change Sub-framewrk Mnitr Cmpliance/ Measure Maturity: Figure 10 - Mnitr Cmpliance/ Measure Maturity Sub-framewrk Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 71

72 Dcumentatin f Management Reprts: Figure 11 Dcumentatin/ Management Reprting Sub-framewrk Cax/Reprt Defaulting Banks/ Enfrce Cmpliance: Figure 12 - Enfrce Cmpliance Sub-framewrk Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 72

73 4.4 Stakehlders Interactin/ Cmmunicatin framewrk Based n the prcesses defined earlier an interactin mdel fr the different stakehlders is shwn belw. Figure 13 - IT Standards Stakehlders' Interactin Framewrk The IT Standards Cuncil administers the adptin and implementatin f IT standards in Nigerian Banks thrugh frmal cmmunicatin n changes t IT Standards and results f cmpliance audit n Banks The Standards Review Cmmittee will engage the Banks t review the current psitin assessment and maturity level f IT Standards and will prvide feedback n the state f the industry t the Cuncil as part f the annual IT Standards reviews Cmpliance Mnitring Cmmittee will assess the cmpliance f the Banks t the implemented standards, identify the defaulting Banks, dcument cmpliance t the standards and reprt status t the IT Standards Cuncil. The Cuncil will Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 73

74 ntify defaulters abut their status and persuade them t cmply Independent Assessrs will be engaged t assess prcesses, systems and cntrls at all Banks. When scheduled audits have been cncluded, Independent Assessrs will submit audit reprts t the IT Standards Cuncil thrugh the Standards Audit Cmmittee Independent IT Standards Cnsultants will als be engaged t prvide external reviews f IT Standards. When Standards Reviews have been cncluded, Independent Cnsultants will submit their reprt and recmmendatins t the IT Standards Cuncil thrugh the Standards Review Cmmittee Banks will present themselves t the Independent Assessrs/ cnsultants and als prvide requisite dcumentatins t the Standards Review Cmmittee r Cmpliance Mnitring Cmmittee as required. Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 74

75 5 Frequently Asked Questins (FAQ) The table belw is an excerpt f sme f the frequently asked questins n IT Standards asked and respnses t them: S/N Feedback frm the Banks Respnse 1 Will CBN certify Banks that are cmpliant with respect t the IT Standards? 2 Wh will determine the acceptability f lcal variatins f standards and hw wuld this be achieved? 3 Will Implementatin Guidelines suffice (in the interim) fr Banks twards full cmpliance? 4 Can a phased maturity plan be adpted by Banks t attain maturity level 3 5 Hw many Standards per capability area are required by the Banks t implement? 6 Wh wuld be respnsible fr ensuring cmpliance fr services/ IT Standards prvided by the Service prvider? The Cuncil will nt certify banks. Certificatin will be left fr the Certificate Authrities Standards Review Cmmittee is respnsible fr the review and evaluatin f IT Standards n an annual basis t determine their cntinued relevance t the lcal industry. Where these standards are fund t require a lcal cntext, this will be recmmended t the IT Standards Cuncil after a thrugh review by the cmmittee. Implementatin guidelines frm certificatin authrities will suffice. Hwever, a minimum f maturity 3 is required fr all FS Organisatins. Phased maturity plans can be adpted by Banks. Hwever, Banks will be expected t meet the minimum acceptable maturity level n r befre the deadline fr such standards. Banks are required t implement nly ne standard per area f IT cncern. Banks that want t implement mre than ne standard are welcmed. All rganisatins that wuld be respnsible fr prviding services t the industry will be subject t the industry IT standards. Hwever, the existence f service prviders des nt preclude Banks frm implementing the IT standards. 7 Can the Banks extend the scpe f new and already implemented standards? Banks can extend the current standards as lng as the minimum features / requirements f the standards defined fr the Industry are met 8 Are Banks with freign affiliatin required t adpt the se IT Yes. Standards defined fr the lcal industry are expected t be adpted by every Bank Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 75

76 S/N Feedback frm the Banks Respnse Standards? irrespective f affiliatin r parentage. 9 Will selfaudit/assessment by a Bank s internal cmpliance audit sufficient? Internal audits / checks may be perfrmed t ensure Bank's wn cmpliance. Hwever nly reprts frm the Cmpliance Management Cmmittee and Independent Assessrs will be used fr cmpliance purpses by the IT Standards Cuncil. 10 Will there be exemptins fr sme Banks with regards t adpted IT Standards? There will n exemptins. All banks will be required t implement all agreed IT standards 11 Will partial implementatin f standards such as CMMI be accepted? N. Banks are at liberty t determine hw they apprach standards implementatin. Hwever, the minimum features/ requirements f the standards defined fr the Industry as well as maturity level must be met. 12 Hw wuld new, excluded r bslete IT Standards e.g. risk management, PA-DSS etc. be reviewed? 13 Will the implementatin f IFRS taxnmy as part f the mandatry migratin t IFRS based reprting suffice fr XBRL cmpliance? All new/ additinal standards will be reviewed during the annual IT standards review and recmmendatins made t the IT standards Cuncil Fr financial reprting, implementatin f the IFRS taxnmy suffices fr XBRL cmpliance. Hwever, it des nt cater t ther frms f business infrmatin reprting Cpyright Central Bank f Nigeria 2013 All Rights Reserved. 76