BFSI

Cyber Security Guidelines for BFSI in Bangladesh: A Working Reading

Bangladesh Bank ICT Security Guidelines, the SWIFT CSP, and the operational reality of meeting them inside a regulated financial institution.

Kazi Hasan
·

Banks and NBFIs operate under several overlapping regimes — BB ICT Guideline, SWIFT CSP, PCI-DSS, and the Data Privacy Act. The internal audit team has to satisfy all of them at once, with one shared evidence pipeline.

10+
Control domains in BB ICT Guideline
30+
SWIFT CSP control objectives
12
PCI-DSS top-level requirements (v4.0)
1
Internal audit function for all of it
Most common audit findings in Bangladeshi BFSI institutions
Incomplete asset inventory Branch and SaaS shadow IT
72 %
Privileged-access sprawl Vendor and shared accounts
64 %
Bypassed change management Emergency-change abuse
51 %
DR drills test scripts, not people Runbook works, on-call doesn't
47 %
Third-party risk ends at the contract Vendors not re-audited
43 %

Source: Cloud Digit advisory engagements, 2024–2026.

What the technical control surface looks like

The seven controls that resolve the most audit findings per dollar
1
Asset inventory in one CMDB, refreshed nightly Inventory

Cloud APIs + branch agents + SaaS connectors → single source of truth

2
Phishing-resistant MFA (FIDO2/WebAuthn) for privileged identities IAM

Hardware-backed; SMS and OTP retired for admin paths

3
Just-in-time access with session recording PAM

Time-bound, ticket-bound, and forwarded to immutable storage

4
Network segmentation: SWIFT in its own trust zone Network

Separate VRF / ACL boundary · no overlap with corporate IdP

5
Centralised log pipeline with regulator-readable retention SIEM

BB ICT default 1 year online + 5 years archived; immutable bucket

6
Quarterly DR exercise with the on-call rotation that owns it BCP

RTO/RPO measured · post-mortem signed by CIO

7
Annual third-party assessment for SWIFT CSP and PCI-DSS Vendor

Independent assessor · evidence stored alongside controls

Shared-responsibility split for BB ICT controls on sovereign IaaS
Provider sole Physical, hypervisor, host OS
24 %
Shared Network, IAM, KMS, logging
41 %
Customer sole App, data, classification, IR
35 %

Source: Cloud Digit shared-responsibility framework mapped to BB ICT domains.