InfoSecBulletin Cybersecurity for mankind
Bangladesh Bank Unveils Cybersecurity Framework, V 1.0. The purpose of this framework is to ensure Cybersecurity governance and build better resilience against cyber threats. The framework is based on NIST principles but extends into seven functions: Preparation & Govern, Identify, Protect, Detect, Respond, Recover, and Reporting. This alignment ensures that while technology drives the sector forward, a standardized governance mechanism serves as the steering wheel, ensuring that innovation does not outpace institutional resilience.
The controls of the framework are mostly based on ISO 27001, national ICT Security Policies, ICT Security Guidelines of Bangladesh Bank and other international standards. The framework will act as baseline for Cybersecurity standards and controls that are designed to fulfill the minimum requirements for safeguarding against cyber threats.
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the Wild
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
Hacker now exploits recently patched SolarWinds Serv-U flaw
Cisco SD-WAN Flaw Exploited and Trend Micro Flaws Allows to Security Bypass
Ransomware Crisis Deepens: 4,089 Victims Hit Across 121 Countries in 2026
The goal of this framework is to establish a basic standard for managing cybersecurity within the organization. It aims to protect financial stability by ensuring that critical systems and data are secure from cyber threats. The framework focuses on identifying, detecting, and responding to cyber risks in a timely and effective manner. It also promotes the development of a common and consistent approach to handling cybersecurity issues across the organization, helping all departments follow the same principles and practices.
In addition, the framework seeks to achieve a strong level of cybersecurity maturity by defining clear roles and responsibilities for all parties involved in protecting the organization’s digital assets. It emphasizes careful management of cybersecurity practices, ensuring that security and privacy requirements are properly addressed.
The scope of this mandate is intentionally broad, encompassing “The Organization” in its entirety. This definition includes scheduled banks, Non-Bank Financial Institutions (NBFIs), Mobile Financial Service Providers (MFSPs), Payment Service Providers (PSPs), and Payment System Operators (PSOs). By codifying these requirements, the central bank aims to protect national financial stability against automated and increasingly sophisticated threats.
The Hierarchy of Accountability
The Framework establishes a clear “Coordination of Framework Implementation” (Figure 2.4), transforming cybersecurity from a technical silo into a fiscal and strategic mandate.
Board of Directors
Role: Strategic direction and oversight of cybersecurity risk.
Responsibilities:
Set the overall cybersecurity vision and policy.
Ensure cybersecurity aligns with organizational risk management.
Provide direction for managing cyber risks.
Monitor whether management is properly handling cybersecurity issues.
Approve major cybersecurity policies and governance structure.
Senior Management Level
Role: Translate board direction into organizational strategy.
Responsibilities:
Determine organization’s mission priorities related to cybersecurity.
Approve implementation strategy for cybersecurity programs.
Make risk-based decisions regarding security investments and controls.
Coordinate between departments to ensure cybersecurity policies are followed.
Business / Process Level
Role: Plan and manage cybersecurity within business operations.
Responsibilities:
Identify critical business processes and risks.
Nominate implementation strategies for security controls.
Develop security profiles based on operational needs.
Allocate budget and resources for cybersecurity initiatives.
Implementation / Operations Level
Role: Execute cybersecurity controls and daily security operations.
Responsibilities:
Implement security profiles and policies.
Protect security-critical infrastructure and systems.
Monitor systems, respond to incidents, and maintain security tools.
Ensure operational compliance with cybersecurity standards.
The CISO & CIRT Ecosystem
To operationalize this hierarchy, the Framework mandates the appointment of a qualified Chief Information Security Officer (CISO), supported by dedicated human and financial resources. The CISO acts as the technical vanguard, but the Framework recognizes that a crisis requires broader institutional mobilization.
This is achieved through the Cyber Incident Response Team (CIRT), which follows a rigid chain of accountability:
Cyber Incident Management Leader (CIML): Typically, the Managing Director, the CIML is responsible for critical business decisions and, crucially, serves as the sole point of contact for media relations during high-severity incidents.
Cyber Incident Management Coordinator (CIMC): Often the Head of ICT or CITO, responsible for inter-departmental coordination and containing the immediate technical damage.
Incident Response Team Leader (IRTL): The CISO, acting as the “one-point contact” for evaluating incidents and initiating the escalation process.
Asset-Centric Security: The “Identify” and “Protect” Functions
Visibility is the prerequisite for security. The “Identify” function serves as the bedrock of the Framework, requiring a granular understanding of systems, people, and data. Without a comprehensive inventory, protective measures are applied blindly, leaving critical gaps in the perimeter.
Risk Governance & Supply Chain
The Framework adopts a sophisticated view of the modern financial ecosystem, looking beyond internal perimeters to address Cloud Risk Management and Supplier Risk. Organizations are now mandated to align with the ‘Guideline on Cloud Computing’ formulated by Bangladesh Bank. This includes the requirement for robust Service Level Agreements (SLAs) and regular audits of third-party providers. The goal is to ensure that a vendor’s security failure does not become a systemic crisis for the bank.
Hardening the Perimeter
Under the “Protect” function, the Framework outlines stringent safeguards dictated by the principles of Least Privilege and Separation of Duties. Technical defenses are no longer optional but are standardized across the sector:
Identity & Access: Multi-Factor Authentication (MFA) is required for all remote and non-console administrative access.
Network Hardening: Secure Login features (SSH) must be enabled, while unencrypted options like TELNET must be disabled.
Email Security: To combat spoofing and phishing, the Framework mandates the implementation of DNS protection, SPF, DKIM, and DMARC.
Data Integrity: The 3-2-1 backup rule is codified—maintaining three copies of data on two different media, with at least one copy stored off-premises.
Hardware Control: By default, mass storage read/write access via USB ports must be disabled. Access may only be granted for limited durations based on written justification and management approval.
Encryption: The implementation of End-to-End Encryption (E2EE) is required for all sensitive data, both at rest and in transit.
Proactive Vigilance: The “Detect” and “Respond” Lifecycle
The Framework mandates a shift toward active detection to reduce “dwell time”—the window between an initial breach and its discovery. By implementing continuous monitoring, organizations create the situational awareness necessary to catch anomalies before they escalate.
Continuous Monitoring Architecture
Organizations must implement a centralized log collection strategy that captures DNS queries, URL requests, and command-line logs (including PowerShell and BASH). The deployment of Endpoint Detection and Response (EDR) and Network Intrusion Detection Systems (NIDS) is required to provide real-time alerts.
A high-value technical insight for CISOs is the specific requirement for traffic inspection:
The Framework mandates that “East-west traffic along with north-south traffic” must be inspected through firewalls. Furthermore, North-South traffic for both the MZ and DMZ zones must be inspected twice, ensuring a layered defense-in-depth approach that targets lateral movement within the network.
The 72-Hour Response Mandate
When a critical cyber incident is detected, the “Respond” function is triggered. The Framework imposes a strict 72-hour window for reporting such incidents to both BGD-CIRT and Bangladesh Bank. This mandate facilitates voluntary information sharing, allowing the regulator to issue sector-wide warnings and prevent a single breach from becoming a domino effect. Failing to this, the framework does not explicitly define penalties; enforcement is expected to be handled through existing regulatory mechanisms.
Resilience and the Recovery Roadmap
“Cyber Resilience” is distinct from security; it is the ability to restore services while maintaining the absolute integrity of data. The Framework treats recovery not as an end-state, but as a precursor to institutional learning.
Restoration Strategy
Recovery planning must be deeply integrated into Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). To combat the rising threat of ransomware and data destruction, the Framework specifically suggests “version-controlling backup destinations” through offline or cloud-based systems. These isolated instances of recovery data ensure that an attacker cannot encrypt the primary data and the backups simultaneously.
Metrics of Success
To measure the effectiveness of these resilience efforts, the Framework introduces four specific Key Performance Indicators (KPIs):
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Vulnerability Reduction: Tracking the decrease of critical vulnerabilities over time.
Training Completion Rates: Measuring the frequency and success of cybersecurity awareness programs.
Institutional Accountability: Reporting, Audit, and Post-Incident Analysis
The reporting function “closes the loop” in the cybersecurity lifecycle, transforming a crisis into a lesson for the entire sector. Documentation ensures that institutional accountability remains even after the technical threat is neutralized.
The 360-Degree Audit
Organizations are mandated to conduct a comprehensive Cybersecurity Audit at least once annually and immediately following any major breach. This audit provides an in-depth review of data, operational, network, system, and physical security. Critically, the audit must include a thorough testing of Disaster Recovery and Business Continuity plans to ensure they are not merely “paper policies” but functional strategies.
Post-Incident Analysis (PIR): A Cultural Shift
The Framework demands a formal Post-Incident Analysis (PIR) after any breach, signaling a cultural shift toward forensic transparency. The process requires answering rigorous questions: “Exactly what happened, and at what times?” and “Were the documented procedures followed?” By identifying “procedural gaps” and “root causes,” the PIR ensures that the organization’s defense strategy evolves based on real-world evidence rather than theoretical assumptions.
Future Readiness
This version, released in March 2026, follows extensive public engagement and collaboration initiated in August 2025. It reflects a commitment by Bangladesh Bank to periodically review and update these standards to keep pace with an ever-evolving threat landscape.
The Framework’s final takeaway is a stark reminder of the stakes involved: without a robust, well-funded, and properly governed program, financial organizations remain “irresistible targets” for cybercriminals. In the modern era, cybersecurity is no longer just an IT requirement; it is a fundamental component of the economic security of the nation. By adhering to these baseline standards, Bangladesh’s financial sector can continue its digital journey with the fortification necessary to withstand the challenges of the global cyber environment.
Bangladesh Bank said, compliance with this policy must be ensured by December 31, 2026.
Related topics:
