Technology Risk Governance Overview for Risk Management

Information Technology Note: Above count for Technology is best to our knowledge

Technology Core Operations

IT Developed Risk Register Information System Risks Cloud Risks Information System Risks Cloud Risks Identified Risks

General IT Risk Domains Partially Covered Proposed Risk Domains Regulatory Requirement

Application Specific Risks – Proposed Regulatory Requirement

Risk Themes External Audit Internal Audit IT Self Assessment Projects Regulatory & Compliance Grand Total Access Management 26 4 - 4 - 34 Application Controls - 1 - - 1 Business Continuity - 1 - 2 - 3 Change Management - 1 - 1 - 2 Data Centers - 2 - - - 2 Encryption/Masking 25 - - 1 26 Governance Framework Setting and Maintenance - 4 12 1 1 18 Initiate & Plan - - 1 - - 1 IT Strategy - - - - 1 1 Monitoring and Controls - 1 - - - 1 Resource Optimization - 1 2 - - 3 Security 2 1 1 7 1 12 Software Quality Assurance - 1 7 - 1 9 Vendor Management - 1 1 - 1 3 Grand Total 53 18 24 15 6 116 Thematic Analysis

ERM Governance Contribution

3 2 4 5 6 7 8 1 Understanding Assessment of Application Coverage Devising and Proposing IT General Risks Technical Risk Assessment Establishment of Responsibilities Updating Asset Register (Server, Network, Licenses etc.), if required Mapping of Additional Controls against IT Policies and Procedures Business Impact Assessment Roadmap for IT and ERM Governance Venture

Downstream linkages with Regulations Risk Domain Regulation Reference Encryption / Masking ETGRMF, Implantation of TLS Monitoring & Control Operational Risk Framework, Electronic Money Institute, Payment System Design Resource Optimization Risk Management in outsourcing arrangement , ETGRMF Software Quality Assurance Enterprise Technology Governance Framework IT Governance alignment with Business Goals & Objectives Enterprise Technology Governance Framework IT Strategy alignment with Business Strategy Enterprise Technology Governance Framework Vendor Management SOP Outsourcing Framework / Outsourcing to Cloud Service provider IT Change Management Security of digital payment, ETGRMF Configuration Management Enterprise Technology Governance Framework Agreed SLAs Enterprise Technology Governance Framework IT Incidents & Root Cause Analysis Enterprise Technology Governance Framework Problem Management Enterprise Technology Governance Framework Disaster Recovery Payment System Design, ETGRMF Business Continuity Enterprise Technology Governance Framework IT Services Outsourcing Outsourcing to Cloud service provider, Outsourcing framework, ETGRMF Media and Asset Disposal Enterprise Technology Governance Framework Access Management Enterprise Technology Governance Framework Escrow Arrangements Enterprise Technology Governance Framework Asset Register (Applications, Hardware, middleware) Enterprise Technology Governance Framework Logs Manipulation ETGRMF, Digital onboarding of Merchants Application Risk Domains Regulation Reference Vulnerability Assessment and Penetration Testing Security of Internet Banking, ETGRMF, Payment Card Security Version Management Payment System Design Framework, ETGRMF Change Control Payment System Design Framework, ETGRMF Disaster Recovery Arrangements Enterprise Technology Governance Framework SLA agreed with Business Enterprise Technology Governance Framework Access Control Enterprise Technology Governance Framework Patch Management Enterprise Technology Governance Framework Two Factor Authentication Payment Card Security, Digital on-boarding of merchants, Cyber Resilience (COVID-19) Network and Firewall Configuration Enterprise Technology Governance Framework

Regulatory Circulars / Letters – IT & IS S. No. Regulation Reference 1 Customers ’ Digital Onboarding Framework BPRD Circular No. 02 Sep 15, 2021 2 Outsourcing to Cloud Service Providers (CSPs) BPRD Circular No. 04 Sep 28, 2020 3 Branchless Banking Regulations for Financial Institutions BPRD Circular No. 10 Dec 30, 2019 4 Framework for Risk Management in Outsourcing Arrangements by Financial Institutions BPRD Circular No. 06 Dec 17, 2019 5 Regulations for Digital On-boarding of Merchants BPRD Circular No. 05 Nov 01, 2019 6 Maintaining Fidelity And Secrecy Of Customers’ Information BPRD Circular No. 08 Oct 08, 2018 7 Enterprise Technology Governance & Risk Management Framework for Financial Institutions. BPRD Circular No. 05 May 30, 2017 8 Implementation of Operational Risk Management Framework BPRD Circular No. 04 May 20, 2014 9 Implementation of TLS Certificate on E-mail Gateways BPRD Circular No. 05 July 29, 2013 10 Raast Person-to-Person (P2P) Payment Service DISD Circular No 01 Feb 03, 2022 11 Security of Digital Payments PSPOD Circular Letter No 01 of 2022 12 Enhancing Digitization Initiatives in Banks/MFBs PSD Circular No. 01 Mar 10, 2021 13 Enhancing Digitization Initiatives in Banks/MFBs PSP&OD Circular Letter No. 05 Oct 15, 2021 14 Regulations for Payment Card Security PSD Circular Letter No. 02 of 2021 S. No. Regulation Reference 15 Measures to Enhance Cyber Resilience Amid COVID 19 Threat PSD Circular No. 03 Mar 26, 2020 16 Measures to Limit the Spread of Corona Virus (COVID-19) by Promoting the use of Digital Payment Services PSD Circular No. 02 Mar 18, 2020 17 Standardization of Quick Response (QR) Codes for Payments in Pakistan PSD Circular No. 02 Sep 27, 2019 18 Regulations for Electronic Money Institutions PSD Circular No. 01 Apr 01, 2019 19 Security of Digital Payments PSD Circular No. 09 Nov 28, 2018 20 Guidelines for White Label ATM Operators PSD Circular No. 05 Jun 01, 2018 21 Electronic Fund Transfers (EFT) Regulations PSD Circular No. 03 May 09, 2018 22 Payment Systems Designation Framework PSD Circular No. 02 Jul 25, 2017 23 Regulations for Payment Card Security PSD Circular No. 05 Jun 10, 2016 24 Prepaid Card Regulations PSD Circular No. 04 May 06, 2016 25 Master Circular of Payment Systems Data PSD Circular No. 03 Mar 11, 2016 26 Implementation of Straight Through Processing (STP) with PRISM-RTGS PSD Circular No. 02 Jan 19, 2016 27 Regulations for the Security of Internet Banking PSD Circular No. 03 Oct 21, 2015 28 Rules for Payment System Operators and Payment Service Providers PSD Circular No. 03 Oct 23, 2014 29 Operational Guidelines on ATMs PSD Circular No. 02 Sep 07, 2007