100% found this document useful (1 vote)

847 views76 pages

CBN IT Guidelines

Uploaded by

Abiodun Akinnagbe

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

847 views76 pages

CBN IT Guidelines

Uploaded by

Abiodun Akinnagbe

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 76

Nigeria Financia l Services

IT Standards Blueprint

Version
1.2

May 2013
IT Standards Blueprint

PREAMBLE

This IT Standards Blueprint document presents the framework for the

adopted Information Technology (IT) Standards and Governance for the
Nigerian Financial Services Industry.

This document also contains the adopted Standards by the IT Standards

Council. For each defined standard, the documentation includes the
objective and intention, description, minimum acceptable maturity level,
derivable benefits, requirements for compliance, and consequences for
deviations.

Also, contained in this blueprint is the IT Standards Governance Model and

Processes, which details the binding framework of processes and procedures
that will guide the introduction of new standards, review or modification
of existing ones, and complete withdrawal of obsolete or irrelevant
standards, thereby maintaining relevance and ensuring continuity by both
CBN and other stakeholders.

This document is the property of the Central bank of Nigeria and its usage
is restricted to members of the Shared Services Unit, the IT Standards
Council, Nigerian Financial Services Industry and authorized accredited
third party agents or consultants as CBN deems fit.

For questions and clarifications, please contact the IT Standards

Council through the following:

Deputy Governor Operations

Central Bank of Nigeria
Central Business District
Abuja
Attn: Chidi Umeano

Copyright © Central Bank of Nigeria 2013

Table of Contents
PREAMBLE ................................................................... 2
TABLE OF FIGURES ........................................................... 4
ABBREVIATIONS .............................................................. 5
1 INTRODUCTION ............................................................ 6
1.1 BACKGROUND ............................................................ 6
1.2 OBJECTIVES AND PURPOSE OF DOCUMENT ........................................ 7
1.3 DEFINITION OF STANDARD .................................................. 7
1.4 OVERVIEW AND SUMMARY IT STANDARDS FOR THE NIGERIAN FINANCIAL SERVICES I NDUSTRY .... 7
1.4.1 TARGET MATURITY LEVELS .................................................. 9
1.4.2 DATA CENTRE MATURITY .................................................. 11
1.5 EXPECTED IMPACTS AND BENEFITS ........................................... 12
2 IT STANDARDS BLUEPRINT ................................................. 13
2.1 STRATEGIC IT ALIGNMENT ................................................. 14
2.2 IT GOVERNANCE ........................................................ 16
2.3 ARCHITECTURE AND I NFORMATION MANAGEMENT ................................... 19
2.4 SOLUTIONS DELIVERY .................................................... 28
2.5 SERVICE MANAGEMENT AND O PERATIONS ........................................ 37
2.6 INFORMATION & TECHNOLOGY SECURITY ........................................ 54
2.7 WORKFORCE & RESOURCE MANAGEMENT ......................................... 58
3 RE-PRIORITISED INDUSTRY IT STANDARDS ................................... 61
3.1 RE-PRIORITISED IT STANDARDS ............................................ 61
3.2 IT STANDARDS ADOPTION R OADMAP ........................................... 62
4 IT STANDARDS GOVERNANCE AND INTERACTION MODEL .......................... 64
4.1 GUIDING PRINCIPLES AND P OLICIES .......................................... 64
4.2 IT STANDARDS GOVERNANCE MODEL AND PROCESSES ............................... 64
4.2.1 GOVERNANCE STRUCTURE: IT STANDARDS COUNCIL ................................ 66
4.2.2 GOVERNANCE S TRUCTURE: C OMPLIANCE MANAGEMENT COMMITTEE ....................... 67
4.2.3 GOVERNANCE STRUCTURE: S TANDARDS REVIEW COMMITTEE ........................... 68
4.3 IT STANDARDS COMPLIANCE FRAMEWORK ........................................ 70
4.4 STAKEHOLDERS’ INTERACTION/ COMMUNICATION FRAMEWORK .......................... 73
5 FREQUENTLY ASKED QUESTIONS (FAQ) ....................................... 75

Copyright © Central Bank of Nigeria 2013

Table of Figures
Figure 1 - IT Standards Prioritization ............................. 61
Figure 2 - IT Standards Implementation Roadmap ..................... 62
Figure 3 - Recommended Adoption Timeline ........................... 63
Figure 4- IT Standards Governance Structure ........................ 65
Figure 5 - IT Standards Council Organization Structure ............. 67
Figure 6 - Compliance Management Committee Organization Structure .. 68
Figure 7 - Standards Review Committee Governance Structure ......... 69
Figure 8 - IT Standards Compliance Framework ....................... 70
Figure 9 - Define/ Change Sub-framework ............................ 71
Figure 10 - Monitor Compliance/ Measure Maturity Sub-framework ..... 71
Figure 11 – Documentation/ Management Reporting Sub-framework ...... 72
Figure 12 - Enforce Compliance Sub-framework ....................... 72
Figure 13 - IT Standards Stakeholders' Interaction Framework ....... 73

Copyright © Central Bank of Nigeria 2013

Abbreviations
ITCMM IT Capability and Maturity Model
ITIL IT Infrastructure Library
COBIT Control Objectives for Information and Technology
ISACA Information Systems Audit and Control Association
XBRL eXtensible Business Reporting Language
TOGAF The Open Group Architecture Framework
CMMI Capability Maturity Model Integration
SPICE Software Process Improvement and Capability
Determination
SCAMPI Standard CMMI Appraisal Method for Process
Improvement
PMI Project Management Institute
PMBOK Project Management Body of Knowledge
PRINCE2 Projects IN Controlled Environments version 2
TIA Telecommunications Industry Association
OHSAS Occupational Health & Safety Advisory Services
BCI Business Continuity Institute
PCI DSS Payment Card Industry Data Security Standard
SFIA Skills Framework for the Information Age

Copyright © Central Bank of Nigeria 2013

1 INTRODUCTION
1.1 Background
Globally, Information Technology has fundamentally transformed the
business architecture of Banks resulting in the evolution of new
business architectures and approaches to customer service,
enterprise management and regulatory compliance.

IT Spend in the Nigerian Financial Services industry, as a

proportion of overall operating expenses is high and increasing.
However, commensurate value is not realized from these investments
due to:

 Complex, duplicate, non-standard and costly processes

 Non-standard systems and infrastructure

 Inefficiency of electronic information exchange

 Data integrity issues

Industry leverage of IT significantly falls short of global best

practices, and is limiting banking operating efficiency, cost
effectiveness, regulatory information and risk management
practices.

To address this gap and provide guidelines for application and

utilisation of Information Technology, Industry IT Standards were
defined to articulate and provide a point of reference for the
utilisation of IT.

The IT Standards provide expected industry practices in respect

of:

- Enterprise IT Architecture
- Process architecture
- Systems integration/ Interoperability
- Network/ Communications
- Data Centre Infrastructure

Copyright © Central Bank of Nigeria 2013

Adoption and compliance to the defined standards will improve IT

leverage and significantly enhance operating efficiency and cost
effectiveness of Banks. The impact of the IT Standards in Bank
operations will include improvements in:

 Processing

 Uptime and availability

 Service quality

 Enterprise Control and Management

 Risk Management and Assurance

 Regulatory reporting

 Business Continuity

1.2 Objectives and Purpose of Document

This document presents standards for Information Technology and
Governance for the Nigerian Financial Services Industry. For each
defined standard, the documentation includes the following:

 Objective and intention

 Description of the standards

 Benefits

 Requirements for compliance

1.3 Definition of Standard

For the purposes of this document, a standard is an established,
measurable and achievable set of criteria agreed by general
consent to be a basis of comparison.

1.4 Overview and Summary IT Standards for the Nigerian

Financial Services Industry
IT standards for Nigeria’s Financial Services Industry is focused
on 7 key technology capabilities areas which are required for
world class IT operations as follows:

Copyright © Central Bank of Nigeria 2013

1. Strategic IT Translation of business vision and

Alignment strategies into multi-year IT investments
and operating plans as well as impacts of
Information Technology on the Enterprise’s
performance measurement.
2. IT Governance Framework for initiation, endorsement,
sponsorship, approval and evaluation of IT
decisions.
3. Architecture & Guidance for the creation and execution of
Information the strategic IT architecture framework.
Management
4. Solutions Delivery Framework for the development of software
application solutions and their subsequent
transition into the production
environment.
5. Service Management Planning, delivery and measurement of day-
& Operations to-day operational service.
6. Information & Security and protection of enterprise
Technology information and related assets.
Security
7. Workforce & Management of IT skills, knowledge and
Resource financial resources.
Management

The Financial Services Industry IT standards are derived from

globally defined and accepted standards as follows:

Reference

Strategic IT Alignment IT Control

Infrastructure Objectives for
Library (ITIL) Information and
related
Technologies
(COBIT)

IT Governance COBIT ISO 38500

Architecture Interfaces ISO 8583 ISO 20022

&
Reporting eXtensible Business Reporting
Information
Language (XBRL)

Copyright © Central Bank of Nigeria 2013

Management Enterprise The Open Group Architecture

Architecture Framework (TOGAF)

Solutions Applications Capability ISO 15504

Delivery Development Maturity Model
Integration
(CMMI)

Project Project PRojects IN

Management Management Controlled
Body of Environments
Knowledge version 2
(PMBOK) (PRINCE2)

Service Service ITIL ISO 20000

Management & Management
Operations
Data Center Tier Standards TIA 942

Health, OHSAS 18001

Safety,
Environment
(HSE)

Business Business BS25999 / ISO

Continuity Continuity 22301 1
Institute Good
Practice
Guidelines
(BCI GPG)

Information & Technology Payment Card ISO 27001/27002

Security Industry Data
Security
Standard (PCI
DSS)

Workforce & Resource Skills Framework for the

Management Information Age (SFIA)

1.4.1 Target Maturity Levels

1
Formerly BS 25999 which was retired on September 1, 2012 and replaced by ISO 22301

Copyright © Central Bank of Nigeria 2013

Maturity levels indicate the robustness of formal articulation of

policies and the extent of assimilation and adoption into
organizational practices.
The definition of maturity levels is derived from common
acceptable IT Standard models

Level Description Characteristics of level

0 Non-existent • No articulation of policies and

recognisable processes are lacking

1 Ad-hoc • Processes are not standardised but ad-

hoc approaches are applied incidentally
on an individual or case-by-case basis
• The overall approach to IT management
and governance is disorganized

2 Repeatable • Processes have evolved to the extent

that similar approaches are adopted by
different individuals undergoing the
same task
• There is no formal training or
communication of standard procedures,
and responsibility is left to the
individual. There is a high degree of
reliance on the knowledge of individuals

3 Defined • Processes are properly defined and

documented, and communicated through
formal training
• Processes are integrated into
organizational practices via formal
approved policy
• Automation and tools are used in a
limited and fragmented way

4 Managed and • Measurable quality goals are established

Measurable and management monitors and measures
compliance with procedures and takes
action where processes appear not to be
working effectively
• Processes are under constant improvement
and provide good practice

5 Optimised • Processes are refined to the level of

good practice, based on continuous

Copyright © Central Bank of Nigeria 2013

improvement
• Quality management & continuous
improvement activities are embedded in
process management
• IT is leveraged in an integrated way to
automate the workflow, providing tools
to improve quality and effectiveness
The minimum target maturity level for IT Standards for the financial
services industry is Level 3 in respect of standards that align to
the maturity model
Level 3 maturity requires that IT standards are

 Defined
 Documented
 Integrated into organizational practices via policy and
procedures
 Communicated through training, and that
 Automation and tools are used in a limited and fragmented way

1.4.2 Data Centre Maturity

The TIA 942 and Uptime Institute standards are the reference
standards for data centre infrastructure and environment. Data
Center standards provide guidance for data centres including primary
data centres hosting live production infrastructure as well as
backup data centres / disaster recovery locations.
The following tier levels are adapted from the TIA 942 and Uptime
Institute Tier Standards:

Tier Description Characteristics of Tier

Basic Data  Numerous single points of failure in all

1 Centre Site aspects of design
Infrastructure  Generally unable to sustain more than a 10
minute power outage

 Some redundancy in power and cooling systems

Redundant Site
Infrastructure  Generator backup
2  Able to sustain 24 hour power outage
Capacity
Components  Minimal thought to site selection
 Vapour barrier

Copyright © Central Bank of Nigeria 2013

 Formal data room separate from other areas

 Two utility paths (active and passive)

 Redundant power and cooling systems
Concurrently
Maintainable  Redundant service providers
3  Able to sustain 72-hour power outage
Site
Infrastructure  Careful site selection planning
 One-hour fire rating
 Allows for concurrent maintenance

 Two independent utility paths

 Independently dual-powered cooling systems
Fault Tolerant
4 Site  Able to sustain 96 hour power outage
Infrastructure  Stringent site selection criteria
 Minimum two-hour fire rating
 24/7 onsite maintenance staff

Target tier is Tier 3: Concurrently Maintainable Site

Infrastructure and supports 99.982% availability.

1.5 Expected Impacts and Benefits

Implementation of these standards is expected to provide the
following benefits:

 Increased up-time / availability of Banks leading to

increased cost savings

 Establishment of a reference point for objective assessment

of the IT function leading to improved IT performance
measurement

 Improved data integrity and electronic information exchange

 Increased efficiency and productivity of staff due to

interoperability of IT systems

 Business Continuity / Recovery and reduced risk of prolonged

downtimes

 Improved data security assurance to customers leading to

increased customer confidence

Copyright © Central Bank of Nigeria 2013

2 IT Standards Blueprint
This section outlines the blueprint of the IT Standards and
includes the following in respect of each standard:

 Purpose of the standard(s)

 Minimum Acceptable Maturity Level

 Description of the Standard(s)

 Rationale for Selection

 Benefits

 Requirements for compliance

 Scope

 Deviation from Use

 References

Copyright © Central Bank of Nigeria 2013

2.1 Strategic IT Alignment

Purpose The Strategic IT Alignment standards provide a

framework for ensuring that business vision and
strategies are translated into IT investments and
operating plans.

Recommended  Control Objectives for Information and Technology

Standards (COBIT): best practices for IT management, created
by ISACA and the IT Governance Institute

 IT Infrastructure Library (ITIL): globally adopted

framework for IT Operations and Service Management

Minimum  Level 3
Acceptable
Maturity
Level

Rationale COBIT
for The Plan and Organize (PO) Domain of the COBIT
Selection Framework involves the definition of an IT Strategic
Plan and focuses on incorporating IT and business
management in the translation of business requirements
into service offerings, as well as the development of
strategies to deliver these services in a transparent
and effective manner
ITIL
The Service Strategy Volume of ITIL focuses on the
alignment of business and IT so that each brings out
the best in the other. It ensures that every stage of
the service lifecycle stays focused on the business
case and relates to all the companion process elements
that follow

COBIT and ITIL are also reference standards for IT

Governance and Service Management respectively

 Standardized framework for ensuring that IT plans

Benefits
and investments are directly driven by the business
goals.

 Ensures that IT services are designed to satisfy the

business requirements and service levels

 Objective basis for measuring the value IT brings to

the business

Requirements Adoption of COBIT Plan and Organize (PO) Domain and the
for ITIL Service Strategy volume maturity level 3.
compliance Strategic IT Alignment policies and processes must be:

Copyright © Central Bank of Nigeria 2013

 Defined

 Documented

 Integrated into organizational practices via policy

and procedures

 Communicated through training

 Processes must be automated to some degree

The process for certification of compliance to COBIT

and ITIL is as follows:

 Implement the IT Strategy requirements of the COBIT

/ITIL frameworks to maturity level 3 and submit to a
compliance audit
The Strategic IT Alignment standard shall be applicable
Scope and to all IT infrastructure and Service providers to the
Application financial service industry including in house Bank
functions and external IT infrastructure and service
providers

Exemption Not applicable.

ITIL: http://www.itil-officialsite.com/
References
COBIT: http://www.isaca.org/Knowledge-Center/cobit

Key Elements of the Standards

Please see sections 2.2 and 2.5.

Copyright © Central Bank of Nigeria 2013

2.2 IT Governance

Purpose The IT Governance standards articulates a framework to

guide how IT decisions are made, sponsored, enforced and
evaluated, both within and across the organization
structure

Standards  Control Objectives for Information and Technology

(COBIT): a set of best practices for IT management,
created by ISACA and the IT Governance Institute.

 ISO 38500: created by the International Standards

Organization; focuses on the corporate governance of
information technology

Maturity  COBIT: Level 3

Level
 ISO 38500

Rationale COBIT
for The COBIT Framework provides management and business
Selection process owners with an IT governance model that helps in
delivering value from IT as well as managing the risks
associated with IT.

ISO 38500

The ISO/IEC 38500 standard provides a framework for

effective governance of IT to assist those at the
highest level of organizations to understand and fulfill
their legal, regulatory, and ethical obligations in
respect of their organizations’ use of IT. The standard
specifies the minimum requirements for the IT Governance
of an organization.

COBIT and ISO 38500 are complementary– implementation of

COBIT controls satisfy some of the requirements for an
ISO 38500 certification

 Improved accountability for IT investments

Benefits
 Higher level of business justification for IT
projects

 Increased effectiveness of the IT function leading

to reduction in costs

 Improved risk management with better visibility of

risk priorities

Copyright © Central Bank of Nigeria 2013

Requirements COBIT: In order to be compliant to the industry

for standard, the COBIT framework must be implemented to
maturity level 3. This means that the standard must be:
compliance
 Defined

 Documented

 Integrated into organizational practices via policy

and procedures

 Communicated through training

 Processes must be automated to some degree

ISO 38500: The ISO 38500 certification requirements must

be met for an organization to be compliant to this
standard

The processes for an organization to become compliant to

COBIT and ISO 38500 are as follows:
COBIT

 Implement the requirements of the COBIT framework to

maturity level 3 and submit to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council.

ISO 38500

 Implement the requirements of the ISO 38500 standard

 Submit to a compliance audit by a certified

assessor.

 Provide the results to the IT Standards Governance

Council as proof of compliance

Scope This standard is applicable to all the Banks and managed

service providers in the industry.
 All organizations in the industry shall implement
the COBIT framework to maturity level three.

 ISO 38500 certification shall not be mandatory but

should be considered desirable

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Copyright © Central Bank of Nigeria 2013

Key Elements of the Standards

COBIT:
COBIT defines IT activities in a generic process model within four
domains:

- Plan and Organize

- Acquire and Implement,

- Deliver and Support,

- Monitor and Evaluate.

The domains map to the IT function’s traditional responsibility areas
of plan, build, run and monitor
Plan and Organize Strategy and tactics, and concerns the
(PO) Domain identification of the way IT contributes to
the achievement of business objectives. The
realization of the strategic IT vision needs
to be planned, communicated and managed for
different perspectives. Proper organization as
well as technological infrastructure should be
defined and implemented.
Acquire and To realize the IT strategy, IT solutions must
Implement (AI) be identified, developed or acquired,
Domain implemented and integrated into business
processes.
Changes in and maintenance of existing systems
ensure that solutions continue to meet
business objectives.
Deliver and Actual delivery of IT services, including IT
Support (DS) service delivery, IT security and continuity,
Domain: service support for users, and management of
data and operational facilities.
Monitor and All IT processes shall be regularly assessed
Evaluate (ME) over time for quality and compliance with
Domain: control requirements. Policies and processes
for performance management, monitoring of
internal control, regulatory compliance and
governance shall be established

Ref: http://www.isaca.org/Knowledge-Center/cobit

ISO 38500
ISO 38500 is a high level principle based advisory standard. In addition
to providing broad guidance on the role of a governing body, ISO 38500

Copyright © Central Bank of Nigeria 2013

encourages organizations to use appropriate standards to underpin

governance of IT.
The standard prescribes that directors should govern IT through three
main tasks:

 Evaluate the current and future use of IT

 Direct preparation and implementation of plans and policies to

ensure that use of IT meets business objectives

 Monitor conformance to policies, and performance against plans.

There are six principles for good corporate governance of IT. The
principles are applicable to organizations and express preferred
behaviour to guide decision making. The statement of each principle
refers to what should happen but does not prescribe how, when or by whom
the principles should be implemented.

 Principle 1- Responsibility: Individuals and groups across the

organization understand and accept their responsibilities in
respect of supply of and demand for IT. Responsibility is matched
by authority to perform.

 Principle 2 - Strategy: Corporate business strategy reflects

current and future capabilities of IT. IT strategy and plans are
clearly articulated and are aligned to and supportive of current
and ongoing needs of the organization’s Business strategy.

 Principle 3 - Acquisition: IT acquisitions are made for valid

reasons, on the basis of appropriate and ongoing analysis with
clear and transparent decision making. There is appropriate
consideration of short and long term benefits, opportunities, costs
and risks of IT spend.

 Principle 4 - Performance: IT is fit for purpose in supporting the

organization, providing services levels and service quality
appropriate for current and future business requirements

 Principle 5 - Conformance: IT complies with all mandatory

legislation and regulations. Policies and practices are clearly
defined, implemented and enforced.

 Principle 6 – Human Behaviour: IT policies, practices and decisions

demonstrate respect for human behaviour including the current and
evolving needs of all people in the process.
Ref: http://www.iso.org/

2.3 Architecture and Information Management

2.3.1 Interfaces

Purpose The purpose is to ensure the standardization of

transaction interfaces between entities in the
Financial Services Industry to enhance interoperability

Copyright © Central Bank of Nigeria 2013

and improve efficiency

 ISO 8583 also known as Financial Transaction Card

Standards
Originated Messages – Interchange Message
Specifications, provides a standard framework for
systems that exchange electronic transactions made
using payment cards
 ISO 20022 aims to enable communication
interoperability between financial institutions,
their market infrastructures and their end-user
communities by defining and promoting a single ISO
standardization approach to be used by all financial
standards initiatives.

Maturity
 Not Applicable
Level
ISO 8583
Rationale
for Standard framework for systems that exchange electronic
Selection transactions that use payment cards, specifies a common
interface by which financial transaction card
originated messages may be interchanged between
acquirers and card issuers.
Most core Banking application vendors provide native
ISO 8583 interfaces and ISO 8583 is widely adopted
within the Nigerian Financial Services industry for
card based payment transactions.

ISO 20022

Also known as the Universal financial industry (UNIFI)

message scheme provides a common platform for the
development of messages in a standardized XML syntax
and is the de-facto standard adopted in Europe to
facilitate the Single Euro Payments Area (SEPA).

ISO 8583 is restricted to card based payments while the

scope of application of ISO 20022 is broader.

 Improved interoperability and efficiency of

Benefits
transaction processing

 Cost savings due to interoperability

 Facilitates straight through processing

Requirements Transaction interfaces that meet specified industry

for standards.
compliance Process for compliance

Copyright © Central Bank of Nigeria 2013

 Implement the requirements of the interface

standards and submit to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council

Scope This standard is applicable to all banks, managed

service providers and payments systems solution
providers in the industry.
 All organizations that provide payments services are
required to provide ISO 8583 compliant interfaces.

 Compliance with ISO 20022 requirements is currently

not mandatory. This is however subject to review by
the IT Standards Governance Council.

Exemption An payment service provider may seek exemption from

compliance by formal application supported by clearly
articulated business justification to the IT Standards
Governance Council

Key Elements of the Standards

ISO 8583:
Common interface by which financial transaction card originated messages
may be interchanged between acquirers and card issuers. It specifies
message structure, format and content, data elements and values for data
elements.
The specification has 3 parts:

 Part 1: Messages, data elements and code values

 Part 2: Application and registration procedures for Institution

Identification Codes

 Part 3: Maintenance procedures for messages, data elements and code

values
An ISO 8583 message is made of:

 Message type indicator (MTI)

 One or more bitmaps, indicating which data elements are present

 Data elements, the fields of the message

Ref: http://www.iso.org/

ISO 20022
Communication interoperability between financial institutions, market

Copyright © Central Bank of Nigeria 2013

infrastructure and end-users in respect of financial transactions

including:

 High value payments

 FX & Money Markets

 Commercial payments

 Cards

 Securities

 Trade
The ISO 20022 statement is organized as follows:

 Part 1: Overall Methodology and Format Specifications for Inputs

and Outputs to/from the ISO 20022 Repository

 Part 2: Roles and responsibilities of the registration bodies

 Part 3: ISO 20022 Modeling

 Part 4: ISO 20022 XML design rules

 Part 5: ISO 20022 Reverse engineering

 Part 6: ISO 20022 Message Transport Characteristics

Ref: http://www.iso.org/

Copyright © Central Bank of Nigeria 2013

2.3.2 Reporting

Purpose Standardization of business and financial reporting

across the industry

Standards  eXtensible Business Reporting Language (XBRL)

Maturity
 N/A
Level

Description  XBRL is an XML-based open standard for exchanging

of Standards business information which allows information
modeling and the expression of semantic meaning
commonly required in business reporting
XBRL
Rationale
 XBRL provides a method to prepare, publish,
for exchange, search and analyze financial statements
Selection across all software formats and technologies.

 Includes an IFRS taxonomy which facilitates the

electronic use and exchange of financial data in
line with IFRS directives.
 Improved reporting efficiency as data from various
Benefits
systems and databases can assembled quickly, cheaply
and efficiently

 Improved usability of financial statement

information

 Simplification of both internal and external

reporting processes

Requirements In order to be compliant, an organization must

for implement XBRL processes and tools and utilize it for
reporting purposes.
compliance
Process for compliance

 Implement XBRL and submit to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council

Scope This standard is applicable to all banks and external

(managed) service providers for the financial services
industry.

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council

Copyright © Central Bank of Nigeria 2013

Key Elements of the Standards

XBRL consists of an XBRL instance, containing primarily the business
facts being reported, and a collection of taxonomies (called a
Discoverable Taxonomy Set (DTS)), which define metadata about these
facts, such as what the facts mean and how they relate to one another

 XBRL Instance: The XBRL instance begins with the <xbrl> root
element and holds the following information:
o Business Facts which are divided into two categories

 Items are facts holding a single value. They are

represented by a single XML element with the value as
its content.

 Tuples are facts holding multiple values. They are

represented by a single XML element containing nested
Items or Tuples.
o In the design of XBRL, all Item facts must be assigned a
context.

 Contexts define the entity (e.g. company or individual)

to which the fact applies, the period of time the fact
is relevant, and an optional scenario. Scenarios
provide further contextual information about the facts,
such as whether the business values reported are
actual, projected, or budgeted.

 Units define the units used by numeric or fractional

facts within the document, such as USD, shares. XBRL
allows more complex units to be defined if necessary.

 Footnotes use XLink to associate one or more facts with

some content.

 Taxonomy: An XBRL Taxonomy is a collection of taxonomy schemas and

linkbases. A taxonomy schema is an XML schema file. Linkbases are
XML documents which follow the XLink specification. The schema must
ultimately extend the XBRL instance schema document and typically
extend other published XBRL schemas.
Ref: www.xbrl.org

Copyright © Central Bank of Nigeria 2013

2.3.3 Enterprise Architecture

Purpose Enterprise architecture standard provides a framework

to guide the selection, deployment, operation,
protection and refreshment of technologies in support
of business goals

Standard
 The Open Group Architecture Framework (TOGAF)

Maturity
 Level 3
Level

Description  TOGAF is an architecture framework that provides a

of Standards set of tools which can be used for developing a
broad range of different architectures

Rationale  TOGAF is a framework that includes a comprehensive

set of supporting tools for the design, planning,
for implementation, and governance of an enterprise
Selection architecture.

 It is the most widely adopted open framework for

Enterprise Architecture in Nigeria and in most parts
of the world

 The TOGAF Architecture Development Method (ADM)

Benefits
provides a detailed methodology that can enable the
development an enterprise architecture which will
meet the business and information technology needs
of an organization.

 The ADM is freely available for use by any

organization to develop an enterprise architecture
for use within that organization alone, and is
customizable to meet the organization's needs.

Requirements In order to be compliant to the industry standard the

for TOGAF framework must be implemented to maturity level
3. This means that the standard must be:
compliance
 Defined

 Documented

 Integrated into organizational practices via policy

and procedures

 Communicated through training

 Processes must be automated to some degree

Process for compliance

Copyright © Central Bank of Nigeria 2013

 Implement the requirements of the TOGAF framework to

maturity level 3 and submit to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council

Scope This standard shall be applicable to all banks and

external (managed) service providers in the financial
service industry.

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council

References TOGAF: http://www.opengroup.org/togaf/

Key Elements of the Standards

The TOGAF Architecture Development Method (ADM) is a framework for
developing an enterprise architecture covering Business Architecture,
Application Architecture, Information Architecture and Technology
Architecture. The TOGAF ADM consists of a number of phases that cycle
through all the architecture views as follows:

 Preliminary Framework and Principles: focuses on establishing the

business context, defining framework to be used, defining
architecture principles and establishing architecture governance

 Architecture Vision: obtain management commitment towards

project(s), validate the business principles, goals and drivers,
identify stakeholder concerns and objectives, define business
requirements and constraints and obtain formal approval to proceed.

 Business Architecture: describe the current baseline business

architecture, develop a target business architecture and to analyze
the gaps between the baseline and target business architectures.

 Information Systems Architecture: develop target architectures for

data and application domains. The scope of business process
supported in this phase includes those that are supported by IT and
the interfaces of IT related processes to non IT related processes.
It consists of
o Data Architecture: which aims to define the types and sources
of data needed to support the business in a way that can be
understood by stakeholders
o Applications Architecture: which aims to define the kinds of
application systems necessary to process the data and support
the business.

 Technology Architecture: develop a technology architecture that

supports the business, application and data architectures

 Opportunities and Solutions: evaluate and select implementation

Copyright © Central Bank of Nigeria 2013

options, identify the strategic parameters for change and the

projects to be undertaken and generate an implementation and
migration strategy and plans.

 Migration Planning: plan various implementation projects by

priority. The prioritized list of projects will form the basis for
the detailed implementation and migration plans.

 Implementation Governance: arrangements for conformance with the

defined architecture by the implementation projects and other
projects.

 Architecture Change Management: continual monitoring of changes in

technology and business to determine whether to initiate a new
architecture cycle.
Ref: http://www.opengroup.org/togaf/

Copyright © Central Bank of Nigeria 2013

2.4 Solutions Delivery

2.4.1 Applications Development

Purpose The purpose of these standards is to ensure that there is

a structured process for the development of bespoke
applications or the customization of commercial
applications as required by the organization.
 Capability Maturity Model Integration (CMMI) is a
Standards
process improvement method that provides a set of
best practices for Systems and Software development
 ISO 15504 is a framework for process assessment which
defines processes and a capability dimension for
measuring the processes

Maturity  CMMI: Level 3

Level
 ISO 15504: N/A
CMMI
Rationale for
Selection The CMMI is a Framework for projects or organizations
that provides common, integrated, and improving processes
for Systems and Software development.
It provides a set of best practices that address
productivity, performance, costs, and stakeholder
satisfaction and can be utilized to drive significant
value realization.

ISO 15504
ISO 15504 also known as Software Process Improvement and
Capability Determination (SPICE) is a framework for the
assessment of processes that defines capability levels
for measuring the processes.
ISO 15504 provides objective measures that enables
assessors give an overall determination of the
organization's capabilities for delivering software

ISO 15504 was derived in part from the CMMI.

 Better ROI indices for application development

Benefits
initiatives

 Improved quality of end deliverables with reduced

defects over product life cycle

 Reduction in project costs with reduced schedules

 Improved end-user satisfaction

CMMI: In order to be compliant to the industry standard
Requirements the CMMI model must be implemented to maturity level 3 as
for defined

Copyright © Central Bank of Nigeria 2013

compliance ISO 15504: the ISO 15504 certification requirements must

be met for an organization to be compliant to this
standard
Process for compliance
CMMI:
 Implement the requirements of the CMMI Model to
maturity level 3 and submit to a SCAMPI compliance
audit by a QSA

 If all requirements are met, the organization will be

deemed to have complied by the IT Standards
Governance Council.

ISO 15504:
 Implement the requirements of the ISO 15504 standard

 Submit to a compliance audit by a certified assessor.

 Provide the results to the IT Standards Governance

Council as proof of compliance

Scope This standard is applicable to all the banks and external

(managed) service providers in financial services
industry.

 All organizations in the industry are required to

implement CMMI to at least a maturity level three.

 ISO 15504 certification is not mandatory

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

CMMI:
CMMI for applications development consists of 22 process areas. A process
area is a cluster of related practices in an area that, when implemented
collectively, satisfy a set of goals considered important for making
significant improvement in that area. These process areas are aligned to
maturity levels and determine the level of maturity of an organi zation’s
development processes. The process areas are as follows:
Maturity Level 2 – Managed:
 CM - Configuration Management: establish and maintain the integrity
of work products using configuration identification, configuration
control, configuration status accounting, and configuration audits.
 MA - Measurement and Analysis: develop and sustain a measurement
capability used to support management information needs.

Copyright © Central Bank of Nigeria 2013

 PMC - Project Monitoring and Control: provide an understanding of

the project’s progress so that appropriate corrective actions can
be taken when the project’s performance deviates significantly from
the plan
 PP - Project Planning: establish and maintain plans that define
project activities.
 PPQA - Process and Product Quality Assurance: provide staff and
management with objective insight into processes and associated
work products.
 REQM - Requirements Management: manage requirements of the
project’s products and product components and to ensure alignment
between those requirements and the project’s plans and work
products.
 SAM - Supplier Agreement Management: manage the acquisition of
products and services from suppliers

Maturity Level 3 - Defined

 DAR - Decision Analysis and Resolution: analyze possible decisions

using a formal evaluation process that evaluates identified
alternatives against established criteria.

 IPM - Integrated Project Management: establish and manage the

project and the involvement of relevant stakeholders according to
an integrated and defined process that is tailored from the
organization’s set of standard processes.

 OPD - Organizational Process Definition: establish and maintain a

usable set of organizational process assets, work environment
standards, and rules and guidelines for teams.

 OPF - Organizational Process Focus: plan, implement, and dep loy

organizational process improvements based on a thorough
understanding of current strengths and weaknesses of the
organization’s processes and process assets.

 OT - Organizational Training: develop skills and knowledge of

people so they can perform their roles effectively and efficiently.

 PI - Product Integration: assemble the product from the product

components, ensure that the product, as integrated, behaves
properly (i.e., possesses the required functionality and quality
attributes), and deliver the product

 RD - Requirements Development: elicit, analyze, and establish

customer, product, and product component requirements.

 RSKM - Risk Management: identify potential problems before they

occur so that risk handling activities can be planned and invoked
as needed across the life of the product or project to mitigate
adverse impacts on achieving objectives.

 TS - Technical Solution: select, design, develop, and implement

solutions to requirements. Solutions, designs, and implementations
encompass products, product components, and product related

Copyright © Central Bank of Nigeria 2013

lifecycle processes either singly or in combination as appropriate.

 VAL – Validation: demonstrate that a product or product component

fulfills its intended use when placed in its intended environment.

 VER – Verification: ensure that selected work products meet their

specified requirements.
Maturity Level 4 - Quantitatively Managed

 OPP - Organizational Process Performance: establish and maintain a

quantitative understanding of the performance of selected processes
in the organization’s set of standard processes in support of
achieving quality and process performance objectives, and to
provide process performance data, baselines, and models to
quantitatively manage the organization’s projects.

 QPM - Quantitative Project Management: quantitatively manage the

project to achieve the project’s established quality and process
performance objectives.
Maturity Level 5 - Optimizing

 CAR - Causal Analysis and Resolution: identify causes of selected

outcomes and take action to improve process performance.

 OPM - Organizational Performance Management: proactively manage the

organization’s performance to meet its business objectives.
Ref: http://www.sei.cmu.edu/cmmi/

ISO 15504:
ISO 15504 contains a reference model which defines processes and a
capability dimension for measuring the processes. The process dimension
defines processes divided into the six process categories of:

 Processes

 Customer supplier

 Engineering

 Supporting

 Management

 Organization
Capability levels include

 5 - Optimizing Process

 4 - Predictable Process

 3 - Established Process

 2 - Managed Process

Copyright © Central Bank of Nigeria 2013

 1 - Performed Process

 0 - Incomplete Process
Ref: http://www.iso.org/

Copyright © Central Bank of Nigeria 2013

2.4.2 Project Management

Purpose The Project Management standards provide a framework to

guide project planning, organizing, and resource
management to bring about the successful completion of
project goals and objectives.
 Project Management Body of Knowledge (PMBOK): a
Standards
global standard in Project Management, developed by
the Project Management Institute (PMI) which
provides a set of standard terminology and
guidelines for project management

 PRojects IN Controlled Environments (PRINCE2): a

process-driven project management method, which is
developed by the Office of Government Commerce
(OGC), UK, and is largely influenced by the IT
industry

Maturity
 Level 3
Level
 PMBOK
Rationale
for  The PMBOK is a global standard which establishes best
Selection practices and principles for project management.

PRINCE2
Prince2 is a widely adopted structured method for
effective Project Management, which covers the
management, control and organization of a project

Both standards are independent Project Management

standards widely adopted both globally and locally.

 Improved efficiency and effectiveness in project

Benefits
delivery

 Better risk management

 Improved quality of project end results

 Reduced cost to deliver

 Further cost savings due to increased on-schedule

project delivery

Requirements In order to be compliant to the industry standard, the

for PMBOK or PRINCE2 framework must be implemented to
maturity level 3. This means that the standard must
compliance be:
 Defined

 Documented

 Integrated into organizational practices via policy

Copyright © Central Bank of Nigeria 2013

and procedures

 Communicated through training

 Processes must be automated to some degree

Process for compliance

 Implement the requirements of the PMBOK/PRINCE2

Standards to maturity level 3 and submit to a
compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council.

Scope The Project Management standard shall be applicable to

all the banks and external (managed) service providers
in the industry.
 Organizations are required to implement either the
PMBOK or PRINCE2 standards to at least a maturity
level three

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

PMBOK:
The PMBOK divides a project into 5 process groups that follow the Deming
cycle:

 Initiating

 Planning

 Executing

 Monitoring & Controlling

 Closing
Simultaneously the project is also divided into nine knowledge areas a s
follows:

 Project Integration Management

 Project Scope Management

 Project Time Management

 Project Cost Management

Copyright © Central Bank of Nigeria 2013

 Project Quality Management

 Project Human Resource Management

 Project Communications Management

 Project Risk Management

 Project Procurement Management

Ref: http://www.pmi.org/PMBOK-Guide-and-Standards.aspx

PRINCE2:
PRINCE2 defines 40 separate activities and organized into seven
processes:

 Starting up a project: In this process the project team is

appointed and a project brief is prepared. In addition the overall
approach to be taken is decided and the next stage of the project
is planned.
 Initiating a project: This process builds on the work of the
startup process, and the project brief is augmented to form a
Business case. The approach taken to ensure quality on the project
is agreed together with the overall approach to controlling the
project itself. Project files are also created as well as an
overall plan for the project.
 Directing a project: This process dictates how the project board
should control the overall project. Directing a Project also
dictates how the project board should authorize a stage plan,
including any stage plan that replaces an existing stage plan due
to slippage or other unforeseen circumstances. Also covered is the
way in which the board can give ad hoc direction to a project and
the way in which a project should be closed down.
 Controlling a stage: PRINCE2 suggests that projects should be
broken down into stages and these sub-processes dictate how each
individual stage should be controlled. Most fundamentally this
includes the way in which work packages are authorized and
received. It also specifies the way in which progress should be
monitored and how the highlights of the progress should be reported
to the project board. A means for capturing and assessing project
issues is suggested together with the way in which corrective
action should be taken. It also lays down the method by which
certain project issues should be escalated to the project board.
 Managing stage boundaries: This dictates what should be done
towards the end of a stage. The next stage should be planned and
the overall project plan, risk log and business case amended as
necessary. The process also covers what should be done for a stage
that has gone outside its tolerance levels. Finally, the process
dictates how the end of the stage should be reported.
 Managing product delivery: This process has the purpose of
controlling the link between the Project Manager and the Team

Copyright © Central Bank of Nigeria 2013

Manager(s) by placing formal requirements on accepting, executing

and delivering project work.
 Closing a project: This covers the things that should be done at
the end of a project. The project should be formally de -
commissioned and resources freed up for allocation to other
activities, follow on actions should be identified and the project
itself be formally evaluated.
Ref: http://www.prince-officialsite.com/

Copyright © Central Bank of Nigeria 2013

2.5 Service Management and Operations

2.5.1 Service Management

Purpose The purpose of these standards is to ensure that there

is a structured framework for managing the development
and delivery of IT Services.
 IT Infrastructure Library (ITIL) is a framework of
Standards
best practice for IT service management. It
comprises a series of books and information which
provide guidance on the quality provision of IT
services.
 ISO 20000 is an organizational standard that aims to
promote the adoption of an integrated set of
management processes for the effective delivery of
services to the business and its customers

Maturity  ITIL: Level 3

Level
 ISO 20000: N/A

 ITIL
Rationale
for  ITIL is a framework of best practices for IT service
Selection management which gives detailed descriptions of IT
processes and provides comprehensive checklists, tasks
and procedures that any IT organization can tailor to
its needs.

ISO 20000
This is an international standard that defines the
requirements for an organization to deliver services of
an acceptable quality to its customers. It aims to
promote the adoption of an integrated set of management
processes for the effective delivery of services to the
business and its customers
ITIL and ISO 20000 are complementary to one another –
implementing ITIL processes satisfy some of the
requirements towards attaining an ISO 20000
certification

 Improved quality and consistency of IT Services

Benefits
 Improved alignment of IT Services with corporate
strategies and all aspects of existing technologies,
processes and services leading to reduced Total Cost
of Ownership (TCO)

 Structured service design processes enabling IT to

focus on delivering cost effective services while
ensuring that specific business requirements are met

 Provides a basis for independent assessment of IT

Copyright © Central Bank of Nigeria 2013

Service Management processes

Requirements ITIL: in order to be compliant to the industry standard

for the ITIL framework must be implemented to maturity
level 3. This means that the standard must be:
compliance
 Defined

 Documented

 Integrated into organizational practices via policy

and procedures

 Communicated through training

 Processes must be automated to some degree

ISO 20000: the ISO 20000 requirements must be met and

certification obtained for an organization to be
compliant to this standard.

Process for compliance

 ITIL:
 Implement the requirements of the ITIL Standard to
maturity level 3 and submit to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council.


 ISO 20000
 Implement the requirements of the ISO 20000 standard

 Request an assessment from a Registered

Certification Body (RCB). Once the requirements of
ISO/IEC 20000 have been satisfied, the RCB will
issue a certificate of conformance

 Provide the certificate to the IT Standards

Governance Council as proof of compliance

Scope This standard is applicable to all the banks and

external (managed) service providers in the financial
services industry.

 All organizations in the industry are required to

implement the ITIL framework to at least a
maturity level three.

 ISO 20000 certification is mandatory for managed

service providers.

Copyright © Central Bank of Nigeria 2013

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

ITIL:
ITIL version 3 2 (Current ITIL version is ITIL 2011which is an update to
version 3 with no significant changes in context) consists of five core
publications covering each stage of the service lifecycle from the
initial definition and analysis of business requirements in Service
Strategy and Service Design, through migration into the live environment
within Service Transition, to live operation and improvement in Ser vice
Operation and Continual Service Improvement

 Service Strategy: this publication sits at the core of the ITIL V3

lifecycle. It sets out guidance to all IT service providers and
their customers, to help them operate and thrive in the long term
by building a clear service strategy

 Service Design: The purpose of this is the design of appropriate

and innovative IT services, including their architectures,
processes, policies and documentation, to meet current and future
agreed business requirements.

 Service Transition: this aims to deliver services that are required

by the business into operational use. Service Transition delivers
this by receiving the Service Design Package from the Service
Design stage and delivering into the Operational stage every
necessary element required for ongoing operation and support of
that service.

 Service Operation: the purpose of this is to deliver agreed levels

of service to users and customers, and to manage the applications,
technology and infrastructure that support delivery of the
services. It is only during this stage of the lifecycle that
services actually deliver value to the business, and it is the
responsibility of Service Operation staff to ensure that this value
is delivered.

 Continual Service Improvement: this is concerned with maintaining

value for customers through the continual evaluation and
improvement of the quality of services and the overall maturity of
the ITSM service lifecycle and underlying processes. CSI combines
principles, practices and methods from quality management, Change
Management and capability improvement, working to improve each

2
Current ITIL version is ITIL 2011 is an update to the version 3 or ITIL 2007

Copyright © Central Bank of Nigeria 2013

stage in the service lifecycle, as well as the current services,

processes, and related activities and technology.
ITIL: http://www.itil-officialsite.com/

ISO 20000
The ISO 20000 standard specifies a set of inter-related management
processes and is derived from ITIL. The Standard promotes an integrated
service management model comprising of the following:

 Requirements for a Management System

o Management Responsibility
o Documentation requirements
o Competence, awareness and training

 Planning and Implementing Service Management

o Plan service management
o Implement service management and provide the services
o Monitoring, measuring and review
o Continual Improvement

 Planning and Implementing new or changed services

 Service Delivery Processes

o Service Level Management
o Service Reporting
o Service Continuity and Availability Management
o Budgeting and Accounting for IT Services
o Capacity Management
o Information Security Management

 Relationship Processes
o General requirements
o Business Relationship Management
o Supplier Management

 Resolution Processes
o Background
o Incident Management
o Problem Management

 Control Processes
o Configuration Management

Copyright © Central Bank of Nigeria 2013

o Change Management

 Release Processes
o Release Management
ISO 20000: http://www.iso.org/

Copyright © Central Bank of Nigeria 2013

2.5.2 Data Centre

Purpose Standard for infrastructure and communication for data

processing sites for the financial services industry

 The Uptime Institute Tier Standard is a global

Standards
standard based on availability specifications for
data centres.
 TIA 942 Standard for Data Centres is a
telecommunications standard that specifies
requirements for telecommunications infrastructure
and facilities of data centres.

Acceptable
 Tier 3
Tier
 Data Centre Tier Standard
Rationale
for The Uptime Institute site infrastructure tier standard
Selection is a widely adopted global standard that was developed
as an objective basis for comparing the functionality,
capacity and expected availability of a data centre
site

 TIA 942 Standard

 The Telecommunications Infrastructure Standard for Data

Centres specifies the minimum requirements for
telecommunications infrastructure and facilities of
data centres and computer rooms including single tenant
enterprise data centres and multi-tenant Internet
hosting data centres. The standard is primarily a
telecom infrastructure standard, but also addresses
data centre facility requirements as follows:
 Site space and layout

 Cabling infrastructure

 Tiered reliability

 Environmental considerations

 Implementing the data centre standards to the agreed

Benefits
tier will improve the uptime and availability of
banks’ data centres which will in turn improve
service availability and reduce the risk of down
time.
In order to be found compliant, an organization’s data
Requirements centre must meet the requirements for Tier 3 data
for centres as defined.
compliance Process for compliance

 Upgrade data centre to meet Tier 3 requirements.

Copyright © Central Bank of Nigeria 2013

 Notify the IT Standards Governance Council of

compliance audit readiness

 Submit to compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council

Scope This standard shall be applicable to all banks and

external (managed) service providers in the financial
services industry.
All data centre infrastructure and facilities for the
Nigerian FS industry shall satisfy the requirement for
tier three.

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

Uptime Institute Tier Standard:
The tier standard establishes four distinctive definitions of data centre
site infrastructure Tier classifications (Tier I, Tier II, Tier III, Tier
IV), and the performance confirmation tests for determining compliance to
the definitions. The Tier classifications describe the site -level
infrastructure topology required to sustain data centre operations, not
the characteristics of individual systems or subsystems. The Tiers are as
follows:

 Tier I - Basic Site Infrastructure: A Tier I basic data centre has

non-redundant capacity components and a single, non-redundant
distribution path serving the computer equipment.

 Tier II - Redundant Site Infrastructure Capacity Components: A Tier

II data centre has redundant capacity components and a single, non -
redundant distribution path serving the computer equipment.

 Tier III - Concurrently Maintainable Site Infrastructure:

o A Concurrently Maintainable data centre has redundant
capacity components and multiple independent distribution
paths (power, cooling, network, etc.) serving the computer
equipment. Only one distribution path is required to serve
the computer equipment at any time. (one active, one
alternate)
o Each and every capacity component and element in the
distribution paths can be removed from service in a planned
basis without impacting any of the computer equipment.
o Tier III engine generator systems are considered the primary
power source for the data centre. The local power utility is
an economic alternative. Disruptions to the utility power are

Copyright © Central Bank of Nigeria 2013

not considered a failure but rather an expected operational

condition for which the site must be prepared. The engine
generator system along with its power paths and other
supporting elements (emergency power off, isolation valves,
start system for engine generators, control system for
mechanical plants etc.) must be concurrently maintainable
o Annual maintenance shutdowns are not required and unplanned
failures are reduced to 1.6 hours on an annual basis (99.98%
availability)
o All IT equipment is dual powered as defined by the
Institute’s Fault Tolerant Power Compliance Specification,
Version 2.0 and installed properly to be compatible with the
topology of the site’s architecture. Transfer devices, such
as point-of-use switches, must be incorporated for computer
equipment that does not meet this specification

 Tier IV - Fault Tolerant Site Infrastructure:

o A Fault Tolerant data centre has multiple, independent,
physically isolated systems that provide redundant capacity
components and multiple, independent, diverse, active
distribution paths simultaneously serving the computer
equipment. The redundant capacity components and diverse
distribution paths shall be configured such that “ N ”
capacity is providing power and cooling to the computer
equipment after any infrastructure failure.
o All IT equipment is dual powered as defined by the
Institute’s Fault Tolerant Power Compliance Specification,
Version 2.0 and installed properly to be compatible with the
topology of the site’s architecture. Transfer devices, such
as point-of-use switches, must be incorporated for computer
equipment that does not meet this specification.
o Complementary systems and distribution paths must be
physically isolated from one another (compartmentalized) to
prevent any single event from simultaneously impacting either
systems or distribution paths.
o Continuous Cooling must be provided.
The Uptime Institute Tier Standard: http://www.uptimeinstitute.org

TIA 942
Intended for use by data centre designers early in the building
development process, and covers the following:

 Site space and layout: Proper space allocation for a data centre
starts with ensuring that space can be easily reallocated to
changing environments and growth. Designers must strike a balance
between acceptable initial deployment costs and anticip ated space
required in the future. The data centre should be designed with
plenty of flexible "white space," empty space that can accommodate
future racks or cabinets. The space surrounding the data centre

Copyright © Central Bank of Nigeria 2013

must also be considered for future growth and plan ned for easy
annexation. The standard also recommends specific functional areas,
which helps to define equipment placement based on the standard
hierarchical star topology design for regular commercial spaces.
The TIA-942 specifies that a data centre should include the
following key functional areas:
o One or More Entrance Rooms
o Main Distribution Area (MDA)
o One or More Horizontal Distribution Areas (HDA)
o Equipment Distribution Area (EDA)
o Zone Distribution Area (ZDA)
o Backbone and Horizontal Cabling

 Cabling infrastructure: the standard specifies a generic, permanent

telecommunications cabling system and provides specifications for
the following recognized cabling media:
o Standard single mode fiber
o 62.5 and 50 μm multimode fiber
o Laser-optimized 50μm multimode fiber
o 75-ohm coaxial cable (recommended for E-1, E-3, and T-3
circuits)
o 4-Pair Category 6 UTP and ScTP cabling
o For horizontal cabling, the TIA-942 standard recommends
installing the highest capacity media available to reduce the
need for re-cabling in the future.

 Tiered reliability: To provide a means for determining specific

data centre needs, the TIA-942 standard includes information on
data centre availability tiers. These tiers are based on the Uptime
Institute.

 Environmental considerations: Environmental considerations within

the TIA-942 include
o fire suppression,
o humidity levels,
o operating temperatures,
o architectural, electrical and mechanical system
specifications.
The requirement in respect of each environmental consideration is
defined based on levels of reliability.
TIA 942 Standard for Data Centres: http://www.tiaonline.org/

Copyright © Central Bank of Nigeria 2013

2.5.3 Health, Safety and Environment

Purpose Structured framework for ensuring a safe work

environment

Standard  BS OHSAS 18001

Minimum
Acceptable
 Not Applicable
Maturity
Level

Description  BS OHSAS 18001 is a globally recognized framework

for Occupational Health and Safety Management
of Standards Systems (OHSMS)

 BS OHSAS 18001
Rationale
for  BS OHSAS 18001 is one of the most recognized
Selection frameworks for occupational health and safety
management systems that allows an organization to
proactively control health and safety risks and
improve performance. It provides an assessment
specification for Occupational Health and Safety
Management Systems.

 While this is not an IT driven standard,

occupational safety is critical and is a key metric
globally used in the appraisal of service providers
across industries.

 Demonstration to stakeholders of commitment to

Benefits
health and safety

 Potential reduction in the number of accidents

leading to a reduction in downtime and associated
costs

 Improved management of health and safety risks

An organization must implement the necessary controls
Requirements to meet the requirements of the OHSAS standard and be
for certified by accredited OHSAS auditors.
compliance Process for compliance

 Implement a Health and Safety Management System to

meet the requirements of the OHSAS standard

 Submit to a compliance audit by OHSAS auditors.

 Provide a certificate of compliance to the IT

Standards Governance Council as proof of compliance

Copyright © Central Bank of Nigeria 2013

Scope This standard shall be applicable to all banks and

external (managed) service providers in the financial
services industry.

Exemption An organization may seek exemption from compliance by

formal application for exemption supported by clearly
articulated business justification to the IT Standards
Governance Council.

Key Elements of the Standards

OHSAS 18001:

 Occupational Health & Safety (OH&S) Policy: Creation of an OH&S

policy

 Planning
o Hazard identification, Risk Assessment and Determining
Controls
o Legal and Other Requirements: Procedure for describing how
legal information is identified and accessed.
o Objectives and Programs: Outlines the importance of a process
to manage OH&S programs with objectives & targets which are
consistent with the policy

 Implementation and Operation

o Resources, Roles, Responsibility, Accountability and
Authority: Top management needs to take ultimate
responsibility for health and safety. This requirement
defines relevant management, accountability, structure,
roles, responsibilities, authorities and includes the
appointment of an OH&S management representative
o Competence, Training, and Awareness: Ensures that persons
performing tasks are competent and trained to do them
o Communication, Participation and Consultation: Outlines
required procedures for internal & external communications.
o Documentation: Occupational Health and Safety Management
Systems (OHSMS) documentation requirements in electronic or
paper form
o Control of Documents: Explains the requirement to control
documents so that current versions are distributed and
available at points of use and obsolete versions are removed
from the system.
o Operational Control: Identifies critical functions associated
with the identified hazards where controls are necessary.
o Emergency Preparedness and Response: Process required for
identifying & responding to emergencies.

Copyright © Central Bank of Nigeria 2013

 Checking and Corrective Action

o Performance Measurement and Monitoring: Measures data for
action and describes the plan to monitor and measure OH&S
performance on a regular basis.
o Evaluation of Compliance: Procedure(s) required for scheduled
evaluations of compliance. The organization will need to keep
records of these periodic evaluations.
o Incident Investigation, Non-conformances, Corrective &
Preventive Action: Procedures for investigating incidents and
acting on health and safety non-conformances. Corrective and
Preventive actions must be taken.
o Control of Records: Records necessary to demonstrate
conformity to the requirements of the OHSMS must be
controlled
o Internal Audit: Procedure to conduct the audits of the OHSMS
at planned intervals to ensure that the system complies with
planned arrangements.

 Management review: Top Management must review the OHSMS at planned

intervals to ensure that the system continues to be suitable,
adequate and effective.
Ref: http://www.bsigroup.com/

Copyright © Central Bank of Nigeria 2013

2.5.4 Business Continuity

Purpose Framework to guide crisis management and ensure that

critical services will always be available to customers
and other stakeholders that must have access to those
services
 Business Continuity Institute (BCI) Good Practice
Standard
Guidelines (GPG): a management guide to implementing
global best practice in Business Continuity
Management
 BS 25999: a Business Continuity Management standard
that applies Business Continuity Planning to
enterprises. BS 25999 is in 2 parts; BS 25999-1 and
BS 25999-2 which has been superseded by ISO22301 The
ISO22301 will be adopted as a replacement to BS25999
during the next IT Standards review

Minimum
Acceptable
 Not Applicable
Maturity
Level
 BCI Good Practice Guidelines
Rationale
for  The BCI GPG is a holistic set of guidelines
Selection developed by the Business Continuity Institute which
specifies six Professional Practices that cover all
six phases of a Business Continuity Management
Lifecycle:
o Policy and Programme Management
o Embedding BCM in the Organization’s Culture
o Understanding the Organization
o Determining BCM Strategies
o Developing and Implementing a BCM Response
o Exercising, Maintenance and Review of BCM

 BS 25999 ( ISO22301)

 Guidance on activities and deliverables applicable

in establishing a continuity management process, as
well as providing recommended good practice steps.
It consists of 2 parts which details an auditable
set of requirements
o A Code of Practice which establishes
processes, principles and terminology for
Business Continuity Management
o A Specification which details requirements for
implementing, operating and improving a
documented Business Continuity Management

Copyright © Central Bank of Nigeria 2013

System and describes requirements that can be

objectively and independently audited.
The BCI GPG and the BS 25999-1 both provide guidelines
for Business Continuity Management

 Assurance of business resilience and the capability

Benefits
to effectively respond to crisis situations.

 Reduced exposure to risks by methodical risk

identification

 Reduced downtime
BCI Good Practice Guidelines:
Requirements
for In order to be compliant to the industry standard the
guidelines of the BCI GPG must be implemented within
compliance the organization.

BS 25999 ( ISO22301):
In order to be compliant, the organization must
implement a BCM System based on the requirements of
Specification Section (Part 2) of the standard
Process for compliance
BCI Good Practice Guidelines

 Implement the requirements of the BCI GPG and submit

to a compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council.
BS 25999 ( ISO22301)

 Implement the controls specified in the

specification section of the standard

 Request an assessment from an accredited BS 25999 (

ISO22301 ) auditor

 Provide the results to the IT Standards Governance

Council as proof of compliance

Scope This standard shall be applicable to all banks and

external (managed) service providers in the financial
services industry.
 All organizations shall implement either the BCI GPG
or the BS 25999-1 guidelines.

 BS 25999-2 (ISO22301 ) certification is mandatory

for external (managed) service providers in the
industry.

Copyright © Central Bank of Nigeria 2013

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

BCI GPG:
The Good Practice Guidelines specifies six Professional Practices which
cover the six phases of BCM Lifecycle. These are grouped into 2
Management and 4 Technical Professional Practices

 Management Professional Practices

o Policy and Programme Management: The BCM Policy of an
organization provides the framework around which the BCM
capability is designed and built. An effective BCM programme
will involve the participation of various managerial,
operational, administrative and technical disciplines that
need to be coordinated throughout its life cycle
o Embedding BCM in the Organization’s Culture: Developing a
Business Continuity culture is vital to maintaining
enthusiasm, readiness and effective response at all levels.
It involves

 Assessing BCM Awareness and Training

 Developing BCM within the Organization’s Culture

 Monitoring Cultural Change

 Technical Professional Practices

o Understanding the Organization: understanding of the urgency
with which activities and processes need to be resumed if
they are disrupted and involves:

 Business Impact Analysis

 Risk Assessment
o Determining BCM Strategies: determining and selecting BCM
Strategies to be used to maintain the organization’s business
activities and processes through an interruption. It
includes:

 Corporate Strategies

 Activity Level Strategy

 Resource Level Consolidation

o Developing and Implementing a BCM Response: this aims to
identify in advance, as far as possible, the actions that are
necessary and the resources which are needed to enable the
organization to manage an interruption whatever its cause. It

Copyright © Central Bank of Nigeria 2013

includes

 Incident Management Plan

 Business Continuity Plan

 Business Unit Plans

o Exercising, Maintenance and Review of BCM: A BCM capability
cannot be considered reliable until it has been exercised,
maintained and audited
Ref: www.thebci.org

BS 25999
BS 25999-1 establishes processes, principles and terminology for Business
Continuity Management. It covers the following key areas:

 The Business Continuity Management Policy: Central to the

implementation of business continuity is having a clear,
unambiguous and appropriately resourced policy

 BCM Programme Management: Programme management is at the heart of

the entire BCM process and the standard defines an approach

 Understanding the organization: In order to apply appropriate

business continuity strategies and tactics the organization has to
be fully understood, its critical activities, resources, duties,
obligations, threats, risks and overall risk appetite.

 Determining BCM Strategies: Once the organization is thoroughly

understood the overall business continuity strategies can be
defined that are appropriate.

 Developing and implementing a BCM response: The tactical means by

which business continuity is delivered. These include incident
management structures, incident management and business continuity
plans.

 Exercising, maintenance, audit and self-assessment of the BCM

culture: Without testing the BCM response an organization cannot be
certain that they will meet their requirements. Exercise,
maintenance and review processes will enable the business
continuity capability to continue to meet the organizations goals.

 Embedding BCM into the organizations culture: Business continuity

should not exist in a vacuum but become part of the way that the
organization is managed

BS 25999-2 (ISO22301)
Part 2 of the standard is predicated on the established Plan -Do-Check-Act
model of continuous improvement and covers the following:

 Planning the Business Continuity Management System (PLAN): The

first step is to plan the BCMS, establishing and embedding it

within the organization.

 Implementing and Operating the BCMS (DO): This focuses on the

actual implementation of the plans. This section includes a number
of topics in Part 1.

 Monitoring and Reviewing the BCMS (CHECK): To ensure that the BCMS
is continually monitored the Check stage covers internal audit and
management review of the BCMS.

 Maintaining and Improving the BCMS (ACT): To ensure that the BCMS
is both maintained and improved on an ongoing basis this section
looks at preventative and corrective action
Ref: http://www.bsigroup.com/

2.6 Information & Technology Security

Purpose  Framework for ensuring that critical information assets

are protected from unauthorized access, use,
disclosure, disruption, modification, perusal,
inspection, recording or destruction.

 ISO 27001/27002 is a globally recognized information

Standard
security management standard
 Payment Card Industry Data Security Standard (PCI
DSS) is a global standard for information security
defined by the PCI Security Standards Council which
applies to all organizations that have cardholder
data traversing their networks

Acceptable
Maturity  Not Applicable
Level
 ISO 27001/27002
Rationale
for  ISO 27001 enables organizations establish and
Selection maintain an information security management system
(ISMS). It focuses on how to implement, monitor,
maintain, and continually improve the Information
Security Management System
ISO 27002 provides established guidelines and
general principles for initiating, implementing,
maintaining, and improving information security
management within an organization. It contains
guidance on implementation of individual security
controls, which may be selected and applied as part
of an ISMS

 PCI DSS

 This standard is applicable to organizations that

store, process and/or transmit credit and debit card
data and aims to prevent card related fraud through
increased controls around data.

PCI DSS requirements are similar to some of the ISO

27001 certification requirements.

 Increased customer confidence through assurance of

Benefits
higher level of data security

 Increased protection against financial losses and

remediation costs that arise from security breaches

PCI DSS:
Requirements
for In order to be found compliant, the organization must
implement the specified controls within the agreed
compliance timelines and be ascertained by a Qualified Security
Assessor (QSA) to have met the requirements for
compliance.
ISO 27001:
An organization must implement the necessary controls
to meet the requirements of the standard and be
certified by an accredited certification body as such.
Process for compliance
PCI DSS

 Implement required controls

 Engage a QSA to conduct a compliance audit

 Provide the results to the IT Standards Governance

Council as proof of compliance
ISO 27001

 Implement the requirements of the ISO 27001 standard

 Submit an application for assessment to an

accredited certification body to conduct the
compliance audit. This is in 2 stages:
o A review of the required documentation
o A compliance audit of the controls of the ISMS

 Provide the results to the IT Standards Governance

Council as proof of compliance

Scope This standard shall be applicable to all banks and

external (managed) service providers in the industry.
 PCI DSS compliance is mandatory for all
organizations that store, process or transmit credit
and debit card data.

 ISO 27001 certification is not mandatory.

Exemption An organization may seek exemption from compliance by

formal application supported by clearly articulated
business justification to the IT Standards Governance
Council.

Key Elements of the Standards

PCI DSS:
The PCI DSS standard specifies twelve requirements for compliance across
six control objectives as follows:

 Build and Maintain a Secure Network

o Install and maintain a firewall configuration to protect
cardholder data
o Do not use vendor-supplied defaults for system passwords and
other security parameters

 Protect Cardholder Data

o Protect stored cardholder data
o Encrypt transmission of cardholder data across open, public
networks

 Maintain a Vulnerability Management Program

o Use and regularly update anti-virus software on all systems
commonly affected by malware
o Develop and maintain secure systems and applications

 Implement Strong Access Control Measures

o Restrict access to cardholder data by business need-to-know
o Assign a unique ID to each person with computer access
o Restrict physical access to cardholder data

 Regularly Monitor and Test Networks

o Track and monitor all access to network resources and
cardholder data
o Regularly test security systems and processes

 Maintain an Information Security Policy

o Maintain a policy that addresses information security
PCI DSS : https://www.pcisecuritystandards.org/

ISO 27001 / 27002

ISO 27001 is based on the Plan-Do-Check-Act model and defines a set of
information security management requirements as follows:

 Establish an ISMS

 Implement, operate, and maintain the ISMS

 Monitor, measure, audit, and review the ISMS

 Continually improve the ISMS

ISO 27002 contains guidance on implementation of individual security

controls, which may be selected and applied as part of an ISMS. Controls
are grouped into the following categories:

 Risk Assessment and Treatment

 Security Policy

 Organization of Information Security

 Asset Management

 Human Resources Security

 Physical Security

 Access Control

 Information Systems Acquisition, Development, Maintenance

 Information Security Incident management

 Business Continuity

 Compliance
ISO 27001: http://www.iso.org/

2.7 Workforce & Resource Management

Purpose
 Framework for defining ICT Skills required in an
organization.

Standard  Skills Framework for the Information Age (SFIA)

Minimum
Acceptable
 Not Applicable
Maturity
Level

Description  The SFIA is a model widely adopted in the United

Kingdom for describing and managing competencies for
of Standards ICT professionals

 SFIA
Rationale
for  SFIA provides a common reference model for the
Selection identification of the skills and competencies
required by ICT professionals and maps out 101
identifiable skills, categorized into 6 main areas:
o Strategy and architecture
o Business change
o Solutions development and implementation
o Service management
o Procurement and management support
o Client interface
 The standard is freely available for download and
use
 Improved deployment of IT skills within the
Benefits
organization

 Improved alignment of skills to functional roles

resulting in effectiveness and greater staff
retention

 Improved skills development and career path planning

In order to be compliant to the industry standard the
Requirements requirements of the SFIA framework must be implemented.
for
Process for compliance
compliance
 Implement the SFIA framework and submit to a
compliance audit

 If all requirements are met, the organization will

be deemed to have complied by the IT Standards
Governance Council.

Scope This standard shall be applicable to all banks and

external (managed) service providers in the financial
services industry.

Deviation An organization may seek exemption from compliance by

from Use formal application for exemption supported by clearly
articulated business justification to the IT Standards
Governance Council.

Key Elements of the Standards

SFIA:

 The standard specifies skills categories divided into six main

areas with sub categories as follows:
o Strategy and planning:

 Information strategy

 Advice and guidance

 Business/IT strategy and planning

 Technical strategy and planning

o Business change

 Business change implementation

 Business change management

 Relationship management
o Solutions development and implementation

 Systems development

 Human factors

 Installation and integration

o Service management

 Service Strategy

 Service Design

 Service transition

 Service Operation
o Procurement and management support

 Supply management

 Quality Management

 Resource management

 Learning and development

o Client interface

 Sales and marketing

 Client Support

 In addition, seven levels of responsibility are also defined:

o Follow: Basic capability to complete tasks under close
supervision. Not expected to use much initiative. Should be
organized, capable of learning and contribute to own
development plan.
o Assist: Uses some discretion and has a wider circle of
interaction than level 1, especially in specialty. Works on a
range of tasks, and proactively manages personal development.
o Apply: Complete work packages with milestone reviews only.
Escalates problems under own discretion. Works with suppliers
and customers. May have some supervisory responsibility.
Performs a broad range of tasks, takes initiative, and
schedules own and others work.
o Enable: Works under general direction in a framework.
Influence at account level, works on a broad range of complex
activities. Good level of operational business skills.
o Ensure and advise: Broad direction, supervisory, objective
setting responsibility. Influences organization. Challenging
and unpredictable work. Self-sufficient in business skills.
o Initiate and influence: Authority for an area of work. Sets
organizational objectives. Influences policy, significant
part of organization, and customers and suppliers at a high
level. Highly complex and strategic work. Initiates and leads
technical and business change.
o Set strategy, inspire, and mobilize: Authority includes
setting policy. Makes decisions critical to organization,
influences key suppliers and customers at top level. Leads on
strategy. Full range of management and leadership skills.
Ref : http://www.sfia.org.uk/

3 Re-prioritised Industry IT standards

3.1 Re-prioritised IT Standards
The IT standards are prioritized based on Effort (ease of
implementation of a standard is a function of the efforts required
to implement, the implementation costs as well as the duration and
risks of implementation) and Benefits (the impact of
implementation on the business and on the end user, the benefits
derivable as well as the time it takes to begin deriving value
from the implementation of the standard)

Figure 1 - IT Standards Prioritization

The IT standards areas prioritisation is as follows:

Priority 1 Standards:

 Service Management

 Interfaces

 IT Security

 Application Reporting
Priority 2 Standards

 IT Governance

 Strategic IT Alignment

 Project Management

 Workforce and Resource Management

Priority 3 Standards

 Data Centre

 Business Continuity Management

 Enterprise Architecture

 Health, Safety and Environment

 Application Development

The standards shall be implemented using a continuum approach such

that initial implementations would target the agreed maturity
level 3 and subsequently improved to include certifications and
higher maturity levels.

Priority 1: ITIL ISO 20000

ISO 8583 ISO 20022

PCI-DSS ISO 27001

XBRL Continuous
XBRL Improvement

Priority 2:
COBIT ISO 38500
PMBOK / PRINCE2 PMBOK / PRINCE2
Level 3 Level 5
SFIA Continuous
SFIA Improvement

Priority 3:
Data Centre Tier 3 Data Centre Tier 4

BCI Guidelines ISO22301

BS25999

TOGAF Level 3 TOGAF Level 5

OHSAS Continuous
OHSAS
Improvement
CMMI ISO 15504

Figure 2 - IT Standards Implementation Roadmap

3.2 IT Standards Adoption Roadmap

A five year roadmap for banks to adopt the following standards at
maturity level 3 is therefore proposed based on the priorities. It
is recommended that compliance audits begin at the end of the
prescribed periods.

CMMI
Service Management ITIL
& Operations SFIA
DC Tier Standards (Target Maturity: Tier 3)
BCI GPGs / BS25999 / ISO 22301
OHSAS 18001
Figure 3 - Recommended Adoption Timeline

4 IT Standards Governance and Interaction Model

The purpose of the IT Standards Governance Model is to establish a
framework which will facilitate the adoption of IT standards as
well as management of the standards lifecycle within the Nigerian
Banking Industry.

4.1 Guiding Principles and Policies

The following guiding policies have been defined for the
administration of IT standards in the Nigerian Financial Services
Industry:
1. Standards must be internationally acknowledged standards
or a local variant
2. All Financial Services organizations and external IT
service providers / operators shall be required to comply
with IT standards
3. Governance Council to oversee IT standards adoption,
implementation and management within the industry
4. Governance Council reports periodically to the Bankers’
Committee on status and compliance with approved
standards
5. Membership of the IT Standards Governance Council
includes nominees of Deposit Money Banks and the Central
Bank of Nigeria
6. Independent assessment of Banks’ internal processes and
test controls will be the basis of determining compliance
7. Periodic audits will be carried out annually on Banks’
processes and controls to ensure compliance.

4.2 IT Standards Governance Model and Processes

In order to embed the adopted IT Standards within the Nigerian
Financial Services industry, it is expedient to develop a binding
framework of processes and procedures that will guide the
introduction of new standards, review or modification of existing
ones, and complete withdrawal of obsolete or irrelevant standards,
thereby maintaining relevance and ensuring continuity by both CBN
and other stakeholders.
Establishing and documenting pre-defined roles and responsibility
matrices extend the clarity of governance model organization

charts by providing more precision in the allocation of decisions

to and by authorized personnel
This section details the governance model and processes for the
Financial Services Industry and IT Standards Council.
The IT Standards Governance Council will be supported by (2)
working committees namely:

• Compliance Management Committee

• Standards Review Committee

The IT Standards Governance Council is depicted in the picture
below:

Figure 4- IT Standards Governance Structure

Roles and Responsibilities

Designation Roles and Responsibilities

IT Standards • Promote Industry IT Standards.

Governance
Council • Set strategic direction with respect to
Standards within the Industry.

• Determine the IT Standards to be implemented

across the Industry including maturity levels

Designation Roles and Responsibilities

• Review and update of Industry IT Standards

• Communicate changes required for compliance to

banks when there is a refresh on an already
existing standard

Compliance • Notify banks of planned audit assessment /

Management communicate audit schedules
Committee
• Engage qualified auditors to carry out
compliance audits

• Conduct the audit and assess controls, systems

and processes

• Set and agree frequency of audits with industry

stakeholders

• Report defaulters to the Council for appropriate

decisions

Standards • Maturity assessment of the banking Industry to

Review determine current status/rating of banks with
Committee respect to defined IT industry standards.

• Review global trends in IT standards within the

FS industry and identify gaps with local
industry

• Recommend updates, changes to IT standards to

the Council

4.2.1 Governance Structure: IT Standards Council

The IT Standards Council will be responsible for providing
governance and driving adoption of IT Standards across the industry.
The key functions of the Council are to:

• Promote IT Standards for Nigeria’s Financial Services

Industry.

• Set strategic direction on IT Standards for the Industry.

• Determine the IT Standards to be implemented across the

Industry.

• Review and update of Industry IT Standards.

• Monitor compliance to IT Standards and determine action(s)/

response for deviations.

Core Skills & Knowledge

Selected Banks will nominate suitably experienced representatives to
sit on the Council (and the subcommittees) on their behalf for a
term of 2 years which can be renewed. The experienced Bank nominee
must meet the following requirements to be nominated to the Council:

• Minimum of ten (10) years’ experience in Information

Technology (IT),

• Good knowledge of the Financial Services industry, IT

Standards and compliance implications.

Bankers Committee
Sub-Committee on
Shared Services

IT Standards
Council

Figure 5 - IT Standards Council Organization

Structure

4.2.2 Governance Structure: Compliance Management

Committee
The Compliance Management Committee of the IT Standards Council will
be responsible for:

• Facilitating assessment of controls, systems and processes at

Banks / industry Service Providers

• Managing non-compliance to IT standards implementation

The functions of the Compliance Management Committee are to:

• Conduct compliance monitoring

• Set and agree frequency of audits with industry stakeholders

• Engage qualified assessors to carry out compliance audits

• Notify Banks of planned audit assessment / communicate audit

schedules

• Conduct the audit and assess controls, systems and processes

• Compare maturity of standards adoption with approved maturity

level

• Document audit reports

• Gently persuade defaulting institutions to comply with the

identified IT Standard(s)

• Escalate and report defaulters to the Bankers Committee

Subcommittee on Shared Services

• Ensure penalties are fulfilled by defaulters

IT Standards
Council

Compliance Standards
Management Review
Committee Committee

Figure 6 - Compliance Management Committee

Organization Structure

4.2.3 Governance Structure: Standards Review Committee

The Standards Review Committee will be responsible for managing the
process of transiting from an older version of a standard to the
latest one.

The functions of the Standards Review Committee are to:

• Identify and document differences between new and previous

version of IT standards

• Trigger the Compliance Management Process to validate

compliance status of Banks

• Define relevant standards

• Change standards as deemed appropriate

• Select and modify IT standards and maturity levels

I T St andar ds
Counc i l

Compl i anc e St andar ds

Management Revi ew
Commi t t ee Commi t t ee

Figure 7 - Standards Review Committee

Governance Structure

4.3 IT Standards Compliance Framework

The following high-level process framework has been defined to
guide the activities of the Council:

Figure 8 - IT Standards Compliance Framework

The following sub-sections details the processes involved in the

framework defined above and responsible parties required for
execution.

Define/ Change Standard:

Figure 9 - Define/ Change Sub-framework

Monitor Compliance/ Measure Maturity:

Figure 10 - Monitor Compliance/ Measure Maturity Sub-framework

Documentation of Management Reports:

Figure 11 – Documentation/ Management Reporting Sub-framework

Coax/Report Defaulting Banks/ Enforce Compliance:

Figure 12 - Enforce Compliance Sub-framework

4.4 Stakeholders’ Interaction/ Communication framework

Based on the processes defined earlier an interaction model for
the different stakeholders is shown below.

Figure 13 - IT Standards Stakeholders' Interaction Framework

• The IT Standards Council administers the adoption and

implementation of IT standards in Nigerian Banks through
formal communication on changes to IT Standards and results of
compliance audit on Banks

• The Standards Review Committee will engage the Banks to review

the current position assessment and maturity level of IT
Standards and will provide feedback on the state of the
industry to the Council as part of the annual IT Standards
reviews

• Compliance Monitoring Committee will assess the compliance of

the Banks to the implemented standards, identify the
defaulting Banks, document compliance to the standards and
report status to the IT Standards Council. The Council will

notify defaulters about their status and persuade them to

comply

• Independent Assessors will be engaged to assess processes,

systems and controls at all Banks. When scheduled audits have
been concluded, Independent Assessors will submit audit
reports to the IT Standards Council through the Standards
Audit Committee

• Independent IT Standards Consultants will also be engaged to

provide external reviews of IT Standards. When Standards
Reviews have been concluded, Independent Consultants will
submit their report and recommendations to the IT Standards
Council through the Standards Review Committee

• Banks will present themselves to the Independent Assessors/

consultants and also provide requisite documentations to the
Standards Review Committee or Compliance Monitoring Committee
as required.

5 Frequently Asked Questions (FAQ)

The table below is an excerpt of some of the frequently asked
questions on IT Standards asked and responses to them:

S/N Feedback from the Banks Response

1 Will CBN certify Banks The Council will not certify banks.
that are compliant with Certification will be left for the Certificate
respect to the IT Authorities
Standards?

2 Who will determine the Standards Review Committee is responsible for

acceptability of local the review and evaluation of IT Standards on an
variations of standards annual basis to determine their continued
and how would this be relevance to the local industry. Where these
achieved? standards are found to require a local context,
this will be recommended to the IT Standards
Council after a thorough review by the
committee.

3 Will Implementation Implementation guidelines from certification

Guidelines suffice (in authorities will suffice. However, a minimum of
the interim) for Banks maturity 3 is required for all FS Organisations.
towards full
compliance?

4 Can a phased maturity Phased maturity plans can be adopted by Banks.

plan be adopted by However, Banks will be expected to meet the
Banks to attain minimum acceptable maturity level on or before
maturity level 3 the deadline for such standards.

5 How many Standards per Banks are required to implement only one
capability area are standard per area of IT concern. Banks that
required by the Banks want to implement more than one standard are
to implement? welcomed.

6 Who would be All organisations that would be responsible for

responsible for providing services to the industry will be
ensuring compliance for subject to the industry IT standards. However,
services/ IT Standards the existence of service providers does not
provided by the Service preclude Banks from implementing the IT
provider? standards.

7 Can the Banks extend Banks can extend the current standards as long
the scope of new and as the minimum features / requirements of the
already implemented standards defined for the Industry are met
standards?

8 Are Banks with foreign Yes. Standards defined for the local industry
affiliation required to are expected to be adopted by every Bank
adopt the se IT

S/N Feedback from the Banks Response

Standards? irrespective of affiliation or parentage.

9 Will self- Internal audits / checks may be performed to

audit/assessment by a ensure Bank's own compliance. However only
Bank’s internal reports from the Compliance Management Committee
compliance audit and Independent Assessors will be used for
sufficient? compliance purposes by the IT Standards Council.

10 Will there be There will no exemptions. All banks will be

exemptions for some required to implement all agreed IT standards
Banks with regards to
adopted IT Standards?

11 Will partial No. Banks are at liberty to determine how they

implementation of approach standards implementation. However, the
standards such as CMMI minimum features/ requirements of the standards
be accepted? defined for the Industry as well as maturity
level must be met.

12 How would new, excluded All new/ additional standards will be reviewed
or obsolete IT during the annual IT standards review and
Standards e.g. risk recommendations made to the IT standards Council
management, PA-DSS etc.
be reviewed?

13 Will the implementation For financial reporting, implementation of the

of IFRS taxonomy as IFRS taxonomy suffices for XBRL compliance.
part of the mandatory However, it does not cater to other forms of
migration to IFRS based business information reporting
reporting suffice for
XBRL compliance?

APU Project Handbook
0% (1)
APU Project Handbook
27 pages
Affidavit of Intent and Consent To Adoption of Child
41% (17)
Affidavit of Intent and Consent To Adoption of Child
2 pages
Technical and Service Requirements
No ratings yet
Technical and Service Requirements
136 pages
6 Degrees of Separation Worksheet
No ratings yet
6 Degrees of Separation Worksheet
3 pages
Book Questions: Case Study - Airstar Inc
No ratings yet
Book Questions: Case Study - Airstar Inc
14 pages
Business Outlookindia
No ratings yet
Business Outlookindia
4 pages
WinThanTun PDF
No ratings yet
WinThanTun PDF
401 pages
ERP Functional & Technical Comparison
No ratings yet
ERP Functional & Technical Comparison
8 pages
7 ISOversusCMMI
No ratings yet
7 ISOversusCMMI
5 pages
AML Presentation
No ratings yet
AML Presentation
48 pages
Tools Triz 20161205 PDF
No ratings yet
Tools Triz 20161205 PDF
37 pages
CT058 3 M ISA Individual Assignment (2018)
No ratings yet
CT058 3 M ISA Individual Assignment (2018)
7 pages
Report On The Environmental Impact Assessment Carried Out For Development of The Proposed Multistoried Market in Jahangirnagar University
No ratings yet
Report On The Environmental Impact Assessment Carried Out For Development of The Proposed Multistoried Market in Jahangirnagar University
30 pages
MIS Course Handout - 2018-19 Second Sem - WILP BITS Pilani
No ratings yet
MIS Course Handout - 2018-19 Second Sem - WILP BITS Pilani
14 pages
SDLC - Agile Model
No ratings yet
SDLC - Agile Model
3 pages
CMMI 2018 Keith
No ratings yet
CMMI 2018 Keith
156 pages
Quantitative Approach
0% (1)
Quantitative Approach
18 pages
Final Assignment - For Nepal
No ratings yet
Final Assignment - For Nepal
7 pages
Leshan - 2
100% (1)
Leshan - 2
48 pages
Engr 332
No ratings yet
Engr 332
124 pages
System Process: CMMI, ISO
No ratings yet
System Process: CMMI, ISO
23 pages
Process Improvement Acronym Decoder
No ratings yet
Process Improvement Acronym Decoder
2 pages
Cmmi Lessons Learned
100% (1)
Cmmi Lessons Learned
265 pages
Getting To Level 2
No ratings yet
Getting To Level 2
29 pages
Mba 815 Management Information System
No ratings yet
Mba 815 Management Information System
196 pages
Cmmi Project
No ratings yet
Cmmi Project
3,570 pages
Software Project Management
No ratings yet
Software Project Management
20 pages
System Integration and Architecture - P2
No ratings yet
System Integration and Architecture - P2
24 pages
Unit-3 - E-Content Creation Using MOODLE
0% (1)
Unit-3 - E-Content Creation Using MOODLE
31 pages
Software Process Models
No ratings yet
Software Process Models
31 pages
The Open Banking Report
100% (1)
The Open Banking Report
11 pages
IT Availability Management Procedure
100% (1)
IT Availability Management Procedure
15 pages
The Cost of Production - Chapter 7
No ratings yet
The Cost of Production - Chapter 7
18 pages
Hoc Practices, To Formally Defined Steps, To Managed Result Metrics, To Active
No ratings yet
Hoc Practices, To Formally Defined Steps, To Managed Result Metrics, To Active
5 pages
Edited Microfinance
No ratings yet
Edited Microfinance
59 pages
Assignment Template Model
No ratings yet
Assignment Template Model
22 pages
Senior Program Manager in Columbus OH Resume Lyn Kinney
No ratings yet
Senior Program Manager in Columbus OH Resume Lyn Kinney
4 pages
Mobile Wallet Payments Recent Potential Threats An
No ratings yet
Mobile Wallet Payments Recent Potential Threats An
8 pages
Scrum Training Notes - Week 1
No ratings yet
Scrum Training Notes - Week 1
8 pages
BIT 413 Software Project Management Course Outline
No ratings yet
BIT 413 Software Project Management Course Outline
2 pages
Chapter 1 (1.3-Adapting The Generic Product Development Process)
No ratings yet
Chapter 1 (1.3-Adapting The Generic Product Development Process)
19 pages
Business Analysis IT
100% (1)
Business Analysis IT
15 pages
Assignment 4 SaaS, PaaS, IaaS
No ratings yet
Assignment 4 SaaS, PaaS, IaaS
5 pages
Amity University - UTTAR PRADESH - Amity Institute of Information Technology NTCC - Major Project
No ratings yet
Amity University - UTTAR PRADESH - Amity Institute of Information Technology NTCC - Major Project
15 pages
Experiment 1: Aim: To Give A Detailed Project Description Using Agile Methodology and Specifying User Stories and Product Backlog
No ratings yet
Experiment 1: Aim: To Give A Detailed Project Description Using Agile Methodology and Specifying User Stories and Product Backlog
9 pages
How Can Indian Banks Comply With RBI Cybersecurity Guidelines
No ratings yet
How Can Indian Banks Comply With RBI Cybersecurity Guidelines
12 pages
Questions Take Home Agile Hybrid Management
No ratings yet
Questions Take Home Agile Hybrid Management
6 pages
CT071-3-M-OOSSE-Question Paper
No ratings yet
CT071-3-M-OOSSE-Question Paper
4 pages
Evolution of Project Management .
No ratings yet
Evolution of Project Management .
9 pages
Innovation Management and New Product Development: Individual Assignment
No ratings yet
Innovation Management and New Product Development: Individual Assignment
28 pages
The Role of IT in Project Management
No ratings yet
The Role of IT in Project Management
21 pages
CMMI-Dev V1.3 Training
No ratings yet
CMMI-Dev V1.3 Training
189 pages
Advisor FinTech Landscape July 03 2023
No ratings yet
Advisor FinTech Landscape July 03 2023
1 page
Business Plan Preparation
No ratings yet
Business Plan Preparation
60 pages
Ittihad University: Assignment Two
0% (1)
Ittihad University: Assignment Two
12 pages
Synpulse - Banking - Robo Advisory
No ratings yet
Synpulse - Banking - Robo Advisory
4 pages
10 Tips To Execute Your Sprint Plans For Maximum Efficiency
No ratings yet
10 Tips To Execute Your Sprint Plans For Maximum Efficiency
4 pages
IT Governance and Ethics
No ratings yet
IT Governance and Ethics
20 pages
Software Engineering An Overview: Ranjit Raman Team Coordinator E-Gov, C-DAC, Pune
No ratings yet
Software Engineering An Overview: Ranjit Raman Team Coordinator E-Gov, C-DAC, Pune
37 pages
Explanation of The Most Common Types of Administrative Risks PDF
No ratings yet
Explanation of The Most Common Types of Administrative Risks PDF
16 pages
IT Standards Blueprint V1.0
No ratings yet
IT Standards Blueprint V1.0
96 pages
CBN - IT Standards - July2021
No ratings yet
CBN - IT Standards - July2021
2 pages
Information Technology in Nigerian Banks: The Limits of Expectations
No ratings yet
Information Technology in Nigerian Banks: The Limits of Expectations
13 pages
IIBF Information System Banker Full Notes
No ratings yet
IIBF Information System Banker Full Notes
3 pages
A Report of SUMMER TRAINING at GUJARATMITRA PRESS
No ratings yet
A Report of SUMMER TRAINING at GUJARATMITRA PRESS
81 pages
Role of Nurse in Epidemiology
100% (2)
Role of Nurse in Epidemiology
20 pages
Grading System Percent Marks Letter Grade Grade Points
No ratings yet
Grading System Percent Marks Letter Grade Grade Points
1 page
CCT 01-09-2011 (A1) Page
No ratings yet
CCT 01-09-2011 (A1) Page
1 page
Patterns of Global Terrorism
No ratings yet
Patterns of Global Terrorism
36 pages
Official Secrets Act (CHAPTER 213)
No ratings yet
Official Secrets Act (CHAPTER 213)
22 pages
Security and Privacy in The Internet of Things Current Status and Open Issues
No ratings yet
Security and Privacy in The Internet of Things Current Status and Open Issues
8 pages
EPCP LU6 Implementation V7
No ratings yet
EPCP LU6 Implementation V7
4 pages
Faa Form 8120-11 2
No ratings yet
Faa Form 8120-11 2
3 pages
Spend Your Summer at The Worlds Most Amazing Summer Camp!
No ratings yet
Spend Your Summer at The Worlds Most Amazing Summer Camp!
12 pages
Thesis Patern of Hazara University Mansehra M.phil New
100% (1)
Thesis Patern of Hazara University Mansehra M.phil New
51 pages
The Role of Podcasts in Enhacing EFL University Students'Listening Comprehension Skills
No ratings yet
The Role of Podcasts in Enhacing EFL University Students'Listening Comprehension Skills
153 pages
Essence of Indian Traditional Knowledge
100% (3)
Essence of Indian Traditional Knowledge
27 pages
The Selling of America: The Advertising Council and American Politics, 1942-1960
No ratings yet
The Selling of America: The Advertising Council and American Politics, 1942-1960
25 pages
Case Analysis II Hallmark Sweet Music
No ratings yet
Case Analysis II Hallmark Sweet Music
24 pages
Thiagarajar College of Engineering, Madurai 625 015.: Project Assessment Rubrics - Review III
No ratings yet
Thiagarajar College of Engineering, Madurai 625 015.: Project Assessment Rubrics - Review III
2 pages
Ideas, Policy and Politics. Labour Exchanges in Early Twentieth Century Britain
No ratings yet
Ideas, Policy and Politics. Labour Exchanges in Early Twentieth Century Britain
49 pages
Green Cities Essay
No ratings yet
Green Cities Essay
4 pages
Toward A Rainbow Nation
No ratings yet
Toward A Rainbow Nation
7 pages
Rosalinda Niña A. Prado: Career Objective
No ratings yet
Rosalinda Niña A. Prado: Career Objective
3 pages
JSP For Electrical and HV Testing
No ratings yet
JSP For Electrical and HV Testing
4 pages
Financial Intelligence Establishment PDF
No ratings yet
Financial Intelligence Establishment PDF
5 pages
SS6H3 European History Notes
No ratings yet
SS6H3 European History Notes
4 pages
Code of Ethics
No ratings yet
Code of Ethics
24 pages
A Successful ERP Implementation Journey
No ratings yet
A Successful ERP Implementation Journey
29 pages