Bank of Mauritius Guideline on Cyber and Technology Risk Management
Comprehensive technology risk management guideline for all banks and non-bank deposit-taking institutions licensed by the Bank of Mauritius. 5 parts (governance, identification, protection, detection, response and recovery) across 26 sections covering board oversight, CISO, technology strategy, risk framework, control functions, network and infrastructure security, logical security, encryption, physical security, change management, technology refresh, people, third-party management, data hosting, secure coding, threat intelligence, monitoring, vulnerability testing, incident management, BCP/DRP, and technology audit. Structured around NIST CSF five-function model.
AC (17) AT (6) AU (13) CA (8) CM (12) CP (12) IA (12) IR (9) MP (1) PE (17) PL (6) PM (17) PS (9) PT (4) RA (10) SA (13) SC (20) SI (6) SR (6)
AC Access Control
| Control | Name | BoM CTRM References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 3.3 |
| AC-02 | Account Management | 3.3 |
| AC-03 | Access Enforcement | 3.3 |
| AC-04 | Information Flow Enforcement | 3.103.2 |
| AC-05 | Separation Of Duties | 3.3 |
| AC-06 | Least Privilege | 3.3 |
| AC-07 | Unsuccessful Login Attempts | 3.3 |
| AC-08 | System Use Notification | 3.3 |
| AC-09 | Previous Logon Notification | 3.3 |
| AC-10 | Concurrent Session Control | 3.3 |
| AC-11 | Session Lock | 3.3 |
| AC-12 | Session Termination | 3.3 |
| AC-17 | Remote Access | 3.133.2 |
| AC-18 | Wireless Access Restrictions | 3.2 |
| AC-19 | Access Control For Portable And Mobile Devices | 3.12 |
| AC-20 | Use Of External Information Systems | 3.2 |
| AC-24 | Access Control Decisions | 3.3 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | BoM CTRM References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 1.55.4 |
| AU-02 | Auditable Events | 3.134.2 |
| AU-03 | Content Of Audit Records | 3.134.2 |
| AU-04 | Audit Storage Capacity | 4.2 |
| AU-05 | Response To Audit Processing Failures | 4.2 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 1.54.25.1 |
| AU-07 | Audit Reduction And Report Generation | 4.2 |
| AU-08 | Time Stamps | 4.2 |
| AU-09 | Protection Of Audit Information | 4.2 |
| AU-10 | Non-Repudiation | 4.2 |
| AU-12 | Audit Record Generation | 4.2 |
| AU-13 | Monitoring for Information Disclosure | 4.2 |
| AU-14 | Session Audit | 4.2 |
CA Security Assessment and Authorization
| Control | Name | BoM CTRM References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 1.55.4 |
| CA-02 | Security Assessments | 1.53.14.35.4 |
| CA-03 | Information System Connections | 3.9 |
| CA-05 | Plan Of Action And Milestones | 1.44.3 |
| CA-06 | Security Accreditation | 1.55.4 |
| CA-07 | Continuous Monitoring | 1.53.14.25.35.4 |
| CA-08 | Penetration Testing | 4.3 |
| CA-09 | Internal System Connections | 1.55.4 |
CM Configuration Management
| Control | Name | BoM CTRM References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 3.1 |
| CM-02 | Baseline Configuration | 3.13.2 |
| CM-03 | Configuration Change Control | 3.6 |
| CM-04 | Monitoring Configuration Changes | 3.6 |
| CM-05 | Access Restrictions For Change | 3.6 |
| CM-06 | Configuration Settings | 3.13.2 |
| CM-07 | Least Functionality | 3.123.2 |
| CM-08 | Information System Component Inventory | 2.13.23.7 |
| CM-09 | Configuration Management Plan | 3.6 |
| CM-11 | User-Installed Software | 3.123.6 |
| CM-12 | Information Location | 2.1 |
| CM-14 | Signed Components | 3.113.6 |
CP Contingency Planning
| Control | Name | BoM CTRM References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 5.2 |
| CP-02 | Contingency Plan | 5.2 |
| CP-03 | Contingency Training | 5.2 |
| CP-04 | Contingency Plan Testing And Exercises | 5.2 |
| CP-06 | Alternate Storage Site | 5.2 |
| CP-07 | Alternate Processing Site | 5.2 |
| CP-08 | Telecommunications Services | 5.2 |
| CP-09 | Information System Backup | 5.2 |
| CP-10 | Information System Recovery And Reconstitution | 5.2 |
| CP-11 | Alternate Communications Protocols | 5.2 |
| CP-12 | Safe Mode | 5.2 |
| CP-13 | Alternative Security Mechanisms | 5.2 |
IA Identification and Authentication
| Control | Name | BoM CTRM References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 3.3 |
| IA-02 | User Identification And Authentication | 3.133.3 |
| IA-03 | Device Identification And Authentication | 3.3 |
| IA-04 | Identifier Management | 3.3 |
| IA-05 | Authenticator Management | 3.3 |
| IA-06 | Authenticator Feedback | 3.3 |
| IA-07 | Cryptographic Module Authentication | 3.3 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 3.133.3 |
| IA-09 | Service Identification and Authentication | 3.3 |
| IA-10 | Adaptive Authentication | 3.3 |
| IA-11 | Re-authentication | 3.3 |
| IA-12 | Identity Proofing | 3.3 |
IR Incident Response
| Control | Name | BoM CTRM References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 5.1 |
| IR-02 | Incident Response Training | 5.1 |
| IR-03 | Incident Response Testing And Exercises | 5.1 |
| IR-04 | Incident Handling | 4.25.1 |
| IR-05 | Incident Monitoring | 5.15.3 |
| IR-06 | Incident Reporting | 5.1 |
| IR-07 | Incident Response Assistance | 5.1 |
| IR-08 | Incident Response Plan | 5.1 |
| IR-09 | Information Spillage Response | 5.1 |
MP Media Protection
| Control | Name | BoM CTRM References |
|---|---|---|
| MP-07 | Media Use | 3.12 |
PE Physical and Environmental Protection
| Control | Name | BoM CTRM References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 3.5 |
| PE-02 | Physical Access Authorizations | 3.5 |
| PE-03 | Physical Access Control | 3.5 |
| PE-04 | Access Control For Transmission Medium | 3.5 |
| PE-05 | Access Control For Display Medium | 3.5 |
| PE-06 | Monitoring Physical Access | 3.5 |
| PE-07 | Visitor Control | 3.5 |
| PE-08 | Access Records | 3.5 |
| PE-09 | Power Equipment And Power Cabling | 3.5 |
| PE-10 | Emergency Shutoff | 3.5 |
| PE-11 | Emergency Power | 3.5 |
| PE-12 | Emergency Lighting | 3.5 |
| PE-13 | Fire Protection | 3.5 |
| PE-14 | Temperature And Humidity Controls | 3.5 |
| PE-15 | Water Damage Protection | 3.5 |
| PE-17 | Alternate Work Site | 3.5 |
| PE-18 | Location Of Information System Components | 3.5 |
PL Planning
PM Program Management
| Control | Name | BoM CTRM References |
|---|---|---|
| PM-01 | Information Security Program Plan | 1.11.31.4 |
| PM-02 | Information Security Program Leadership Role | 1.11.2 |
| PM-03 | Information Security and Privacy Resources | 1.1 |
| PM-04 | Plan of Action and Milestones Process | 1.55.4 |
| PM-05 | System Inventory | 2.1 |
| PM-06 | Measures of Performance | 1.55.4 |
| PM-07 | Enterprise Architecture | 1.33.7 |
| PM-09 | Risk Management Strategy | 1.11.42.13.10 |
| PM-11 | Mission and Business Process Definition | 1.32.1 |
| PM-13 | Security and Privacy Workforce | 1.11.23.8 |
| PM-14 | Testing, Training, and Monitoring | 1.54.35.35.4 |
| PM-15 | Security and Privacy Groups and Associations | 3.84.15.3 |
| PM-16 | Threat Awareness Program | 2.14.15.3 |
| PM-28 | Risk Framing | 1.11.4 |
| PM-29 | Risk Management Program Leadership Roles | 1.11.2 |
| PM-30 | Supply Chain Risk Management Strategy | 1.53.9 |
| PM-31 | Continuous Monitoring Strategy | 5.1 |
PS Personnel Security
| Control | Name | BoM CTRM References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 1.23.8 |
| PS-02 | Position Categorization | 1.23.8 |
| PS-03 | Personnel Screening | 3.8 |
| PS-04 | Personnel Termination | 3.8 |
| PS-05 | Personnel Transfer | 3.8 |
| PS-06 | Access Agreements | 1.23.8 |
| PS-07 | Third-Party Personnel Security | 1.23.83.9 |
| PS-08 | Personnel Sanctions | 3.8 |
| PS-09 | Position Descriptions | 1.11.2 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | BoM CTRM References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | 1.42.1 |
| RA-02 | Security Categorization | 1.42.1 |
| RA-03 | Risk Assessment | 1.42.14.1 |
| RA-04 | Risk Assessment Update | 1.42.1 |
| RA-05 | Vulnerability Scanning | 2.14.14.3 |
| RA-06 | Technical Surveillance Countermeasures Survey | 2.14.3 |
| RA-07 | Risk Response | 1.42.15.3 |
| RA-08 | Privacy Impact Assessments | 2.1 |
| RA-09 | Criticality Analysis | 1.42.13.74.3 |
| RA-10 | Threat Hunting | 4.1 |
SA System and Services Acquisition
| Control | Name | BoM CTRM References |
|---|---|---|
| SA-02 | Allocation Of Resources | 1.33.7 |
| SA-03 | Life Cycle Support | 1.33.113.7 |
| SA-04 | Acquisitions | 3.13.113.9 |
| SA-08 | Security Engineering Principles | 3.13.11 |
| SA-09 | External Information System Services | 3.103.9 |
| SA-10 | Developer Configuration Management | 3.113.6 |
| SA-11 | Developer Security Testing | 3.11 |
| SA-15 | Development Process, Standards, and Tools | 3.11 |
| SA-16 | Developer-Provided Training | 3.11 |
| SA-17 | Developer Security and Privacy Architecture and Design | 3.13.11 |
| SA-20 | Customized Development of Critical Components | 3.11 |
| SA-21 | Developer Screening | 3.113.9 |
| SA-22 | Unsupported System Components | 3.7 |
SC System and Communications Protection
| Control | Name | BoM CTRM References |
|---|---|---|
| SC-07 | Boundary Protection | 3.133.2 |
| SC-08 | Transmission Integrity | 3.103.133.23.4 |
| SC-12 | Cryptographic Key Establishment And Management | 3.4 |
| SC-13 | Use Of Cryptography | 3.133.4 |
| SC-17 | Public Key Infrastructure Certificates | 3.4 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | 3.2 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | 3.2 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | 3.2 |
| SC-23 | Session Authenticity | 3.13 |
| SC-24 | Fail in Known State | 5.2 |
| SC-26 | Decoys | 4.2 |
| SC-28 | Protection of Information at Rest | 3.103.123.4 |
| SC-32 | System Partitioning | 3.2 |
| SC-39 | Process Isolation | 3.2 |
| SC-40 | Wireless Link Protection | 3.4 |
| SC-42 | Sensor Capability and Data | 3.12 |
| SC-43 | Usage Restrictions | 3.12 |
| SC-44 | Detonation Chambers | 4.2 |
| SC-45 | System Time Synchronization | 3.13 |
| SC-46 | Cross Domain Policy Enforcement | 3.2 |
SI System and Information Integrity
| Control | Name | BoM CTRM References |
|---|---|---|
| SI-02 | Flaw Remediation | 3.6 |
| SI-04 | Information System Monitoring Tools And Techniques | 3.24.14.25.1 |
| SI-05 | Security Alerts And Advisories | 4.15.15.3 |
| SI-07 | Software And Information Integrity | 3.6 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | 3.13 |
| SI-17 | Fail-safe Procedures | 5.2 |