Resolution SB 2021 2126

Summary

The Ecuadorian Resolution SB-2021-2126 of December 2, 2021, is published in the Official Registry 604 of December 23, 2021. This regulation applies to multiple and specialized banks, financial services entities and auxiliary services entities of the financial system.

Definitions

Definition	Requirements
Art_15_3_c. Operative Risk Management - Information Technology Factor	155. Application free of malicious code 161. Define secure default options
Art_26_11_b. Information Security	181. Transmit data using secure protocols 185. Encrypt sensitive information
Art_26_11_c. Information Security	183. Delete sensitive data securely
Art_26_11_d. Information Security	095. Define users with privileges 176. Restrict system objects 265. Restrict access to critical processes
Art_26_11_e. Information Security	095. Define users with privileges
Art_26_11_g. Information Security	079. Record exact occurrence time of events 080. Prevent log modification 377. Store logs based on valid regulation 378. Use of log management system
Art_26_11_h. Information Security	145. Protect system cryptographic keys 224. Use secure cryptographic mechanisms 361. Replace cryptographic keys
Art_26_11_i. Information Security	185. Encrypt sensitive information
Art_26_11_l. Information Security	259. Segment the organization network
Art_26_11_o. Information Security	377. Store logs based on valid regulation
Art_27_3. Security in Electronic Channels	181. Transmit data using secure protocols
Art_27_5. Security in Electronic Channels	185. Encrypt sensitive information 300. Mask sensitive data
Art_27_6. Security in Electronic Channels	181. Transmit data using secure protocols 185. Encrypt sensitive information 300. Mask sensitive data
Art_27_8. Security in Electronic Channels	145. Protect system cryptographic keys 224. Use secure cryptographic mechanisms
Art_27_11. Security in Electronic Channels	264. Request authentication 319. Make authentication options equally secure
Art_27_13. Security in Electronic Channels	361. Replace cryptographic keys
Art_27_16. Security in Electronic Channels	363. Synchronize system clocks
Art_27_17. Security in Electronic Channels	079. Record exact occurrence time of events 377. Store logs based on valid regulation 378. Use of log management system
Art_27_18. Security in Electronic Channels	075. Record exceptional events in logs 095. Define users with privileges 186. Use the principle of least privilege 377. Store logs based on valid regulation 378. Use of log management system
Art_27_25. Security in Electronic Channels	300. Mask sensitive data
Art_28_1. Security in Electronic Channels - ATMs	185. Encrypt sensitive information 224. Use secure cryptographic mechanisms 300. Mask sensitive data 360. Remove unnecessary sensitive information
Art_28_2. Security in Electronic Channels - ATMs	264. Request authentication
Art_28_5. Security in Electronic Channels - ATMs	228. Authenticate using standard protocols 231. Implement a biometric verification component 264. Request authentication 319. Make authentication options equally secure 328. Request MFA for critical systems
Art_29_1. Security in Electronic Channels - Points of Sale (POS and PIN Pad)	264. Request authentication
Art_29_2. Security in Electronic Channels - Points of Sale (POS and PIN Pad)	181. Transmit data using secure protocols
Art_30_1. Security in Electronic Channels - Digital Banking	088. Request client certificates 090. Use valid certificates 093. Use consistent certificates 181. Transmit data using secure protocols
Art_30_4. Security in Electronic Channels - Digital Banking	236. Establish authentication time
Art_30_6. Security in Electronic Channels - Digital Banking	356. Verify sub-domain names
Art_30_7. Security in Electronic Channels - Digital Banking	133. Passwords with at least 20 characters
Art_30_8. Security in Electronic Channels - Digital Banking	140. Define OTP lifespan 231. Implement a biometric verification component 319. Make authentication options equally secure 328. Request MFA for critical systems 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.