Central Bank of Bahrain Technology Module
Mandatory technology governance and cybersecurity requirements for all CBB-licensed financial institutions in Bahrain. 16 sections covering board oversight, IT governance, information security, risk management, operations, access control, application and network security, data security, physical security, vulnerability management, SOC, incident response, BCM/DR, third-party management, and regulatory reporting.
AC (21) AT (4) AU (14) CA (3) CM (10) CP (13) IA (11) IR (9) MP (8) PE (19) PL (7) PM (15) PS (4) PT (2) RA (8) SA (13) SC (22) SI (10) SR (10)
AC Access Control
| Control | Name | CBB TM References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | TM-6 |
| AC-02 | Account Management | TM-6 |
| AC-03 | Access Enforcement | TM-6 |
| AC-04 | Information Flow Enforcement | TM-6TM-8 |
| AC-05 | Separation Of Duties | TM-6 |
| AC-06 | Least Privilege | TM-6 |
| AC-07 | Unsuccessful Login Attempts | TM-6 |
| AC-08 | System Use Notification | TM-6 |
| AC-10 | Concurrent Session Control | TM-6 |
| AC-11 | Session Lock | TM-6 |
| AC-12 | Session Termination | TM-6 |
| AC-13 | Supervision And Review -- Access Control | TM-6 |
| AC-14 | Permitted Actions Without Identification Or Authentication | TM-6 |
| AC-15 | Automated Marking | TM-9 |
| AC-16 | Automated Labeling | TM-6TM-9 |
| AC-17 | Remote Access | TM-6TM-8 |
| AC-18 | Wireless Access Restrictions | TM-6TM-8 |
| AC-19 | Access Control For Portable And Mobile Devices | TM-6 |
| AC-20 | Use Of External Information Systems | TM-15TM-6 |
| AC-24 | Access Control Decisions | TM-6 |
| AC-25 | Reference Monitor | TM-6 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | CBB TM References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | TM-16 |
| AU-02 | Auditable Events | TM-12 |
| AU-03 | Content Of Audit Records | TM-12 |
| AU-04 | Audit Storage Capacity | TM-12TM-5 |
| AU-05 | Response To Audit Processing Failures | TM-12 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | TM-12TM-13TM-16 |
| AU-07 | Audit Reduction And Report Generation | TM-12 |
| AU-08 | Time Stamps | TM-12 |
| AU-09 | Protection Of Audit Information | TM-12 |
| AU-10 | Non-Repudiation | TM-12 |
| AU-11 | Audit Record Retention | TM-12 |
| AU-12 | Audit Record Generation | TM-12 |
| AU-14 | Session Audit | TM-12 |
| AU-16 | Cross-Organizational Audit Logging | TM-12 |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | CBB TM References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | TM-5 |
| CM-02 | Baseline Configuration | TM-5 |
| CM-03 | Configuration Change Control | TM-11TM-5 |
| CM-04 | Monitoring Configuration Changes | TM-11TM-5TM-7 |
| CM-05 | Access Restrictions For Change | TM-5 |
| CM-06 | Configuration Settings | TM-5 |
| CM-09 | Configuration Management Plan | TM-5 |
| CM-12 | Information Location | TM-15TM-9 |
| CM-13 | Data Action Mapping | TM-15TM-9 |
| CM-14 | Signed Components | TM-7 |
CP Contingency Planning
| Control | Name | CBB TM References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | TM-14 |
| CP-02 | Contingency Plan | TM-14 |
| CP-03 | Contingency Training | TM-14 |
| CP-04 | Contingency Plan Testing And Exercises | TM-14 |
| CP-05 | Contingency Plan Update | TM-14 |
| CP-06 | Alternate Storage Site | TM-14 |
| CP-07 | Alternate Processing Site | TM-14 |
| CP-08 | Telecommunications Services | TM-14 |
| CP-09 | Information System Backup | TM-14 |
| CP-10 | Information System Recovery And Reconstitution | TM-14 |
| CP-11 | Alternate Communications Protocols | TM-14 |
| CP-12 | Safe Mode | TM-14 |
| CP-13 | Alternative Security Mechanisms | TM-14 |
IA Identification and Authentication
| Control | Name | CBB TM References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | TM-6 |
| IA-02 | User Identification And Authentication | TM-6 |
| IA-03 | Device Identification And Authentication | TM-6 |
| IA-04 | Identifier Management | TM-6 |
| IA-05 | Authenticator Management | TM-6 |
| IA-06 | Authenticator Feedback | TM-6 |
| IA-07 | Cryptographic Module Authentication | TM-6 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | TM-6 |
| IA-10 | Adaptive Authentication | TM-6 |
| IA-11 | Re-authentication | TM-6 |
| IA-12 | Identity Proofing | TM-6 |
IR Incident Response
| Control | Name | CBB TM References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | TM-13 |
| IR-02 | Incident Response Training | TM-13 |
| IR-03 | Incident Response Testing And Exercises | TM-13 |
| IR-04 | Incident Handling | TM-12TM-13TM-5 |
| IR-05 | Incident Monitoring | TM-13 |
| IR-06 | Incident Reporting | TM-13TM-16 |
| IR-07 | Incident Response Assistance | TM-13 |
| IR-08 | Incident Response Plan | TM-13 |
| IR-09 | Information Spillage Response | TM-13 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | CBB TM References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | TM-10 |
| PE-02 | Physical Access Authorizations | TM-10 |
| PE-03 | Physical Access Control | TM-10 |
| PE-04 | Access Control For Transmission Medium | TM-10 |
| PE-05 | Access Control For Display Medium | TM-10 |
| PE-06 | Monitoring Physical Access | TM-10 |
| PE-07 | Visitor Control | TM-10 |
| PE-08 | Access Records | TM-10 |
| PE-09 | Power Equipment And Power Cabling | TM-10 |
| PE-10 | Emergency Shutoff | TM-10 |
| PE-11 | Emergency Power | TM-10 |
| PE-12 | Emergency Lighting | TM-10 |
| PE-13 | Fire Protection | TM-10 |
| PE-14 | Temperature And Humidity Controls | TM-10 |
| PE-15 | Water Damage Protection | TM-10 |
| PE-17 | Alternate Work Site | TM-10 |
| PE-18 | Location Of Information System Components | TM-10 |
| PE-20 | Asset Monitoring and Tracking | TM-10 |
| PE-23 | Facility Location | TM-10 |
PL Planning
| Control | Name | CBB TM References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | TM-2TM-3 |
| PL-02 | System Security Plan | TM-2TM-3 |
| PL-07 | Concept of Operations | TM-2 |
| PL-08 | Security and Privacy Architectures | TM-2TM-3 |
| PL-09 | Central Management | TM-1TM-2TM-3TM-4 |
| PL-10 | Baseline Selection | TM-4 |
| PL-11 | Baseline Tailoring | TM-4 |
PM Program Management
| Control | Name | CBB TM References |
|---|---|---|
| PM-01 | Information Security Program Plan | TM-1TM-2TM-3 |
| PM-02 | Information Security Program Leadership Role | TM-1TM-3 |
| PM-03 | Information Security and Privacy Resources | TM-1 |
| PM-04 | Plan of Action and Milestones Process | TM-11TM-4 |
| PM-06 | Measures of Performance | TM-16 |
| PM-07 | Enterprise Architecture | TM-2 |
| PM-08 | Critical Infrastructure Plan | TM-14TM-2 |
| PM-09 | Risk Management Strategy | TM-1TM-2TM-3TM-4 |
| PM-11 | Mission and Business Process Definition | TM-14TM-2 |
| PM-13 | Security and Privacy Workforce | TM-3 |
| PM-14 | Testing, Training, and Monitoring | TM-16TM-3 |
| PM-15 | Security and Privacy Groups and Associations | TM-3 |
| PM-16 | Threat Awareness Program | TM-11TM-12TM-13TM-3 |
| PM-28 | Risk Framing | TM-2TM-3TM-4 |
| PM-29 | Risk Management Program Leadership Roles | TM-1 |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | CBB TM References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | TM-2TM-4 |
| RA-02 | Security Categorization | TM-4TM-9 |
| RA-03 | Risk Assessment | TM-15TM-4 |
| RA-04 | Risk Assessment Update | TM-4 |
| RA-05 | Vulnerability Scanning | TM-11TM-4 |
| RA-07 | Risk Response | TM-11TM-4 |
| RA-09 | Criticality Analysis | TM-14TM-15TM-4 |
| RA-10 | Threat Hunting | TM-11TM-12 |
SA System and Services Acquisition
| Control | Name | CBB TM References |
|---|---|---|
| SA-02 | Allocation Of Resources | TM-5 |
| SA-03 | Life Cycle Support | TM-7 |
| SA-04 | Acquisitions | TM-15TM-7 |
| SA-08 | Security Engineering Principles | TM-7 |
| SA-09 | External Information System Services | TM-15 |
| SA-10 | Developer Configuration Management | TM-7 |
| SA-11 | Developer Security Testing | TM-7 |
| SA-15 | Development Process, Standards, and Tools | TM-7 |
| SA-16 | Developer-Provided Training | TM-7 |
| SA-17 | Developer Security and Privacy Architecture and Design | TM-7 |
| SA-20 | Customized Development of Critical Components | TM-7 |
| SA-21 | Developer Screening | TM-15TM-7 |
| SA-22 | Unsupported System Components | TM-15 |
SC System and Communications Protection
| Control | Name | CBB TM References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | TM-8 |
| SC-02 | Application Partitioning | TM-8 |
| SC-03 | Security Function Isolation | TM-8 |
| SC-05 | Denial Of Service Protection | TM-8 |
| SC-06 | Resource Priority | TM-5 |
| SC-07 | Boundary Protection | TM-8 |
| SC-08 | Transmission Integrity | TM-8TM-9 |
| SC-10 | Network Disconnect | TM-8 |
| SC-12 | Cryptographic Key Establishment And Management | TM-9 |
| SC-13 | Use Of Cryptography | TM-9 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | TM-8 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | TM-8 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | TM-8 |
| SC-23 | Session Authenticity | TM-8 |
| SC-24 | Fail in Known State | TM-14 |
| SC-26 | Decoys | TM-12 |
| SC-28 | Protection of Information at Rest | TM-9 |
| SC-32 | System Partitioning | TM-8 |
| SC-39 | Process Isolation | TM-8 |
| SC-40 | Wireless Link Protection | TM-8 |
| SC-41 | Port and I/O Device Access | TM-8 |
| SC-44 | Detonation Chambers | TM-12TM-8 |
SI System and Information Integrity
| Control | Name | CBB TM References |
|---|---|---|
| SI-02 | Flaw Remediation | TM-11TM-5 |
| SI-03 | Malicious Code Protection | TM-8 |
| SI-04 | Information System Monitoring Tools And Techniques | TM-12TM-13TM-8 |
| SI-05 | Security Alerts And Advisories | TM-11TM-13 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | TM-7 |
| SI-11 | Error Handling | TM-7 |
| SI-12 | Information Output Handling And Retention | TM-9 |
| SI-13 | Predictable Failure Prevention | TM-5 |
| SI-17 | Fail-safe Procedures | TM-14 |
| SI-19 | De-identification | TM-9 |
SR Supply Chain Risk Management
| Control | Name | CBB TM References |
|---|---|---|
| SR-01 | Policy and Procedures | TM-15 |
| SR-02 | Supply Chain Risk Management Plan | TM-15 |
| SR-03 | Supply Chain Controls and Processes | TM-15 |
| SR-04 | Provenance | TM-15 |
| SR-05 | Acquisition Strategies, Tools, and Methods | TM-15 |
| SR-06 | Supplier Assessments and Reviews | TM-15 |
| SR-07 | Supply Chain Operations Security | TM-15 |
| SR-08 | Notification Agreements | TM-15 |
| SR-10 | Inspection of Systems or Components | TM-15 |
| SR-11 | Component Authenticity | TM-15 |