Bank of Thailand Cyber Resilience Guidelines for Financial Institutions
Bank of Thailand mandatory cyber resilience guidelines for all BOT-regulated financial institutions. 26 requirements across governance and oversight, identification (asset management, risk assessment, threat intelligence), protection (access control, data security, network security, application security, change management), detection (monitoring, vulnerability assessment, penetration testing), and response and recovery (incident management, business continuity, crisis communication, lessons learned). Structured around NIST CSF five-function model with BOT-specific supervisory expectations.
AC (21) AT (5) AU (11) CA (8) CM (13) CP (12) IA (12) IR (9) MA (6) MP (7) PE (16) PL (4) PM (16) PS (9) PT (8) RA (7) SA (12) SC (26) SI (14) SR (8)
AC Access Control
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | Ch2.2 |
| AC-02 | Account Management | Ch2.2Ch8.2 |
| AC-03 | Access Enforcement | Ch2.2 |
| AC-04 | Information Flow Enforcement | Ch2.2Ch2.4 |
| AC-05 | Separation Of Duties | Ch2.2 |
| AC-06 | Least Privilege | Ch2.2 |
| AC-07 | Unsuccessful Login Attempts | Ch2.2Ch8.2 |
| AC-08 | System Use Notification | Ch2.2 |
| AC-09 | Previous Logon Notification | Ch2.2 |
| AC-10 | Concurrent Session Control | Ch2.2 |
| AC-11 | Session Lock | Ch2.2 |
| AC-12 | Session Termination | Ch2.2 |
| AC-13 | Supervision And Review -- Access Control | Ch2.2 |
| AC-14 | Permitted Actions Without Identification Or Authentication | Ch2.2 |
| AC-16 | Automated Labeling | Ch2.2 |
| AC-17 | Remote Access | Ch2.2Ch2.4Ch9.1 |
| AC-18 | Wireless Access Restrictions | Ch2.4 |
| AC-19 | Access Control For Portable And Mobile Devices | Ch2.6Ch9.1 |
| AC-20 | Use Of External Information Systems | Ch2.6Ch5.2 |
| AC-24 | Access Control Decisions | Ch2.2 |
| AC-25 | Reference Monitor | Ch2.2 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | Ch6.1 |
| AU-02 | Auditable Events | Ch3.1Ch6.1 |
| AU-03 | Content Of Audit Records | Ch3.1 |
| AU-04 | Audit Storage Capacity | Ch3.1 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | Ch3.1Ch6.1Ch8.2 |
| AU-07 | Audit Reduction And Report Generation | Ch3.1 |
| AU-09 | Protection Of Audit Information | Ch3.1 |
| AU-12 | Audit Record Generation | Ch3.1 |
| AU-13 | Monitoring for Information Disclosure | Ch3.1 |
| AU-14 | Session Audit | Ch3.1 |
| AU-16 | Cross-Organizational Audit Logging | Ch6.1 |
CA Security Assessment and Authorization
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | Ch1.3Ch6.1 |
| CA-02 | Security Assessments | Ch1.3Ch3.2Ch6.1 |
| CA-03 | Information System Connections | Ch5.2 |
| CA-05 | Plan Of Action And Milestones | Ch6.1 |
| CA-06 | Security Accreditation | Ch6.1 |
| CA-07 | Continuous Monitoring | Ch1.3Ch10.1Ch3.1Ch6.1 |
| CA-08 | Penetration Testing | Ch3.2 |
| CA-09 | Internal System Connections | Ch5.2 |
CM Configuration Management
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | Ch2.1 |
| CM-02 | Baseline Configuration | Ch2.1 |
| CM-03 | Configuration Change Control | Ch10.1Ch2.1 |
| CM-04 | Monitoring Configuration Changes | Ch10.1 |
| CM-05 | Access Restrictions For Change | Ch2.1 |
| CM-06 | Configuration Settings | Ch2.1 |
| CM-07 | Least Functionality | Ch2.1Ch2.6 |
| CM-08 | Information System Component Inventory | Ch2.1 |
| CM-09 | Configuration Management Plan | Ch2.1 |
| CM-10 | Software Usage Restrictions | Ch2.1 |
| CM-11 | User-Installed Software | Ch2.1Ch2.6 |
| CM-12 | Information Location | Ch2.1 |
| CM-14 | Signed Components | Ch2.1 |
CP Contingency Planning
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | Ch4.2 |
| CP-02 | Contingency Plan | Ch4.2 |
| CP-03 | Contingency Training | Ch4.2 |
| CP-04 | Contingency Plan Testing And Exercises | Ch4.2 |
| CP-06 | Alternate Storage Site | Ch4.2 |
| CP-07 | Alternate Processing Site | Ch4.2 |
| CP-08 | Telecommunications Services | Ch4.2 |
| CP-09 | Information System Backup | Ch4.2 |
| CP-10 | Information System Recovery And Reconstitution | Ch4.2 |
| CP-11 | Alternate Communications Protocols | Ch4.2 |
| CP-12 | Safe Mode | Ch4.2 |
| CP-13 | Alternative Security Mechanisms | Ch4.2 |
IA Identification and Authentication
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | Ch2.2 |
| IA-02 | User Identification And Authentication | Ch2.2Ch8.2Ch9.1 |
| IA-03 | Device Identification And Authentication | Ch2.2 |
| IA-04 | Identifier Management | Ch2.2 |
| IA-05 | Authenticator Management | Ch2.2 |
| IA-06 | Authenticator Feedback | Ch2.2 |
| IA-07 | Cryptographic Module Authentication | Ch2.2 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | Ch2.2 |
| IA-09 | Service Identification and Authentication | Ch2.2 |
| IA-10 | Adaptive Authentication | Ch2.2 |
| IA-11 | Re-authentication | Ch2.2 |
| IA-12 | Identity Proofing | Ch2.2 |
IR Incident Response
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | Ch4.1 |
| IR-02 | Incident Response Training | Ch4.1 |
| IR-03 | Incident Response Testing And Exercises | Ch4.1 |
| IR-04 | Incident Handling | Ch4.1 |
| IR-05 | Incident Monitoring | Ch4.1 |
| IR-06 | Incident Reporting | Ch4.1 |
| IR-07 | Incident Response Assistance | Ch4.1 |
| IR-08 | Incident Response Plan | Ch4.1 |
| IR-09 | Information Spillage Response | Ch4.1 |
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | Ch2.8 |
| PE-02 | Physical Access Authorizations | Ch2.8 |
| PE-03 | Physical Access Control | Ch2.8 |
| PE-04 | Access Control For Transmission Medium | Ch2.8 |
| PE-05 | Access Control For Display Medium | Ch2.8 |
| PE-06 | Monitoring Physical Access | Ch2.8 |
| PE-08 | Access Records | Ch2.8 |
| PE-09 | Power Equipment And Power Cabling | Ch2.8 |
| PE-10 | Emergency Shutoff | Ch2.8 |
| PE-11 | Emergency Power | Ch2.8 |
| PE-12 | Emergency Lighting | Ch2.8 |
| PE-13 | Fire Protection | Ch2.8 |
| PE-14 | Temperature And Humidity Controls | Ch2.8 |
| PE-15 | Water Damage Protection | Ch2.8 |
| PE-17 | Alternate Work Site | Ch2.8 |
| PE-18 | Location Of Information System Components | Ch2.8 |
PL Planning
PM Program Management
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| PM-01 | Information Security Program Plan | Ch1.1Ch1.2 |
| PM-02 | Information Security Program Leadership Role | Ch1.1 |
| PM-03 | Information Security and Privacy Resources | Ch1.1 |
| PM-04 | Plan of Action and Milestones Process | Ch1.3 |
| PM-07 | Enterprise Architecture | Ch6.2 |
| PM-09 | Risk Management Strategy | Ch1.1Ch1.2 |
| PM-13 | Security and Privacy Workforce | Ch1.1Ch7.1 |
| PM-14 | Testing, Training, and Monitoring | Ch1.3Ch3.2Ch6.1 |
| PM-15 | Security and Privacy Groups and Associations | Ch1.3Ch8.1 |
| PM-16 | Threat Awareness Program | Ch3.1Ch4.1Ch7.1Ch8.1 |
| PM-20 | Dissemination of Privacy Program Information | Ch9.2 |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | Ch9.2 |
| PM-26 | Complaint Management | Ch9.2 |
| PM-28 | Risk Framing | Ch1.2 |
| PM-30 | Supply Chain Risk Management Strategy | Ch5.1Ch5.2 |
| PM-32 | Purposing | Ch1.2 |
PS Personnel Security
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | Ch7.2 |
| PS-02 | Position Categorization | Ch7.2 |
| PS-03 | Personnel Screening | Ch7.2 |
| PS-04 | Personnel Termination | Ch7.2 |
| PS-05 | Personnel Transfer | Ch7.2 |
| PS-06 | Access Agreements | Ch7.2 |
| PS-07 | Third-Party Personnel Security | Ch7.2 |
| PS-08 | Personnel Sanctions | Ch7.2 |
| PS-09 | Position Descriptions | Ch1.1Ch7.2 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| PT-01 | Policy and Procedures | Ch9.2 |
| PT-02 | Authority to Process Personally Identifiable Information | Ch2.3Ch9.2 |
| PT-03 | Personally Identifiable Information Processing Purposes | Ch2.3Ch9.2 |
| PT-04 | Consent | Ch2.3Ch9.2 |
| PT-05 | Privacy Notice | Ch2.3Ch9.2 |
| PT-06 | System of Records Notice | Ch9.2 |
| PT-07 | Specific Categories of Personally Identifiable Information | Ch9.2 |
| PT-08 | Computer Matching Requirements | Ch9.2 |
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| SA-03 | Life Cycle Support | Ch2.5Ch6.2 |
| SA-04 | Acquisitions | Ch2.5Ch5.1Ch6.2 |
| SA-08 | Security Engineering Principles | Ch2.5Ch6.2 |
| SA-09 | External Information System Services | Ch5.1Ch5.2 |
| SA-10 | Developer Configuration Management | Ch2.5 |
| SA-11 | Developer Security Testing | Ch2.5 |
| SA-15 | Development Process, Standards, and Tools | Ch2.5Ch6.2 |
| SA-16 | Developer-Provided Training | Ch2.5 |
| SA-17 | Developer Security and Privacy Architecture and Design | Ch2.5Ch6.2 |
| SA-20 | Customized Development of Critical Components | Ch2.5Ch6.2 |
| SA-21 | Developer Screening | Ch2.5Ch5.1 |
| SA-22 | Unsupported System Components | Ch2.5 |
SC System and Communications Protection
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | Ch2.4 |
| SC-02 | Application Partitioning | Ch2.4 |
| SC-03 | Security Function Isolation | Ch2.4 |
| SC-04 | Information Remnance | Ch2.4 |
| SC-05 | Denial Of Service Protection | Ch2.4 |
| SC-07 | Boundary Protection | Ch2.4Ch5.2Ch8.2Ch9.1 |
| SC-08 | Transmission Integrity | Ch2.3Ch2.4Ch2.7Ch9.1 |
| SC-10 | Network Disconnect | Ch2.4 |
| SC-12 | Cryptographic Key Establishment And Management | Ch2.3Ch2.7 |
| SC-13 | Use Of Cryptography | Ch2.3Ch2.7Ch9.1 |
| SC-17 | Public Key Infrastructure Certificates | Ch2.7 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | Ch2.4 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Ch2.4 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | Ch2.4 |
| SC-23 | Session Authenticity | Ch2.4Ch8.2Ch9.1 |
| SC-24 | Fail in Known State | Ch4.2 |
| SC-26 | Decoys | Ch3.1Ch8.1 |
| SC-28 | Protection of Information at Rest | Ch2.3Ch2.7 |
| SC-32 | System Partitioning | Ch2.4 |
| SC-39 | Process Isolation | Ch2.4 |
| SC-40 | Wireless Link Protection | Ch2.4Ch2.7 |
| SC-41 | Port and I/O Device Access | Ch2.6 |
| SC-42 | Sensor Capability and Data | Ch2.6 |
| SC-44 | Detonation Chambers | Ch3.1 |
| SC-45 | System Time Synchronization | Ch9.1 |
| SC-47 | Alternate Communications Paths | Ch2.4 |
SI System and Information Integrity
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| SI-02 | Flaw Remediation | Ch10.1Ch3.2 |
| SI-03 | Malicious Code Protection | Ch2.6Ch8.2 |
| SI-04 | Information System Monitoring Tools And Techniques | Ch2.6Ch3.1Ch8.2 |
| SI-05 | Security Alerts And Advisories | Ch3.2Ch4.1Ch8.1 |
| SI-06 | Security Functionality Verification | Ch10.1 |
| SI-07 | Software And Information Integrity | Ch2.6Ch9.1 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | Ch2.5 |
| SI-11 | Error Handling | Ch2.5 |
| SI-12 | Information Output Handling And Retention | Ch2.3Ch9.2 |
| SI-13 | Predictable Failure Prevention | Ch4.2 |
| SI-14 | Non-persistence | Ch10.1 |
| SI-16 | Memory Protection | Ch2.6 |
| SI-17 | Fail-safe Procedures | Ch4.2 |
| SI-19 | De-identification | Ch2.3Ch9.2 |
SR Supply Chain Risk Management
| Control | Name | BOT Cyber Resilience References |
|---|---|---|
| SR-01 | Policy and Procedures | Ch5.1Ch5.2 |
| SR-02 | Supply Chain Risk Management Plan | Ch5.1 |
| SR-03 | Supply Chain Controls and Processes | Ch5.1 |
| SR-04 | Provenance | Ch5.1 |
| SR-05 | Acquisition Strategies, Tools, and Methods | Ch5.1 |
| SR-06 | Supplier Assessments and Reviews | Ch5.1 |
| SR-07 | Supply Chain Operations Security | Ch5.1 |
| SR-08 | Notification Agreements | Ch5.1 |