Skip to main content
Entire section Custom print Text Only Rich Text Print

Governance

  1. 3.1Institutions should establish a documented governance framework for effective decision-making and proper management and control of risks arising from the use of APIs. The governance framework should:
    1. a.Define the roles and responsibilities of the Institution, API Provider and API developer (where different), including the division of duties;
    2. b.Establish appropriate policies, procedures, standards and controls to govern the API Lifecycle within the Institution;
    3. c.Employ tools and technologies that enable communication, change management and performance monitoring across the API Lifecycle;
    4. d.Establish appropriate testing strategies prior to publication and on an ongoing basis for optimal performance of APIs, for example:
      1.  i.A load testing strategy which can be used to assess how the API performs against service-level agreements and to determine what response is normal for the API. Target API test case problems that would prevent longer load tests from running correctly should be developed;
      2.  ii.Stress testing of the APIs that can be undertaken by simulating a heavy load on the API or by conducting crash point testing to identify the maximum number of users the API can handle; and
      3. iii.A monitoring framework that can ensure critical interfaces and functions to be appropriately tested and verified for conformance to expected behavior;
    5. e.Establish a framework to assess, monitor, report and mitigate risks associated with the APIs including developing mechanisms to ensure regular testing and implementation of coding controls, production monitoring and support post deployment, process control mapping and development of a risk control matrix; and
    6. f.Be approved by the appropriate Governing Body.
  2. 3.2When Outsourcing to an Outsourcing Service Provider, Institutions should ensure that access to information is adequately controlled, monitored, reviewed and audited by the Institution’s internal control functions, and regulators, including the appropriate Supervisory Authority;
  3. 3.3Business continuity plans of an Institution should cover APIs and the security controls associated with APIs. Institutions should assess criticality of the different types of APIs used and ensure that the business continuity planning scenarios cover the various types of APIs being used. The business continuity strategy and arrangements should be updated when changes are made to the operating environment, and most importantly, be tested periodically.