Note: Make sure that macros are enabled to completely fill-out all the required information in the IT profile

template. The template was created using Microsoft

Excel 2013 and tested to run on higher versions.

Sheet Field Name Format Input Type Description

I Name of BSFI Text Select from List The official name of the entity as registered in BSP.
or Manual Input
I BSFI Code Text Auto-generated Code assigned by the Bangko Sentral to the BSFI
or Manual Input
I Website URL Text Manual Input BSFI’s official website for public use
I For the year ended Date Manual Input Cutoff date of the information supplied in the IT profile. (does
not accept future dates)
I I. ORGANIZATIONAL INFORMATION
I I.A. Key Officer's Information
I Chief Information Officer (CIO) An executive responsible for the management,
implementation, and usability of information and computer
technologies. Designation, roles, and responsibilities vary per
organization and this is sometimes interchangeable with the
CTO. Nonetheless, section 148 of the MORB require the
designation of an IT head, which may be a CIO, CTO, or both
in some organization.
I Chief Technology Officer (CTO) An executive responsible for technological issues within an
organization. Designation, roles, and responsibilities vary per
organization and this is sometimes interchangeable with the
CIO. Nonetheless, section 148 of the MORB require the
designation of an IT head, which may be a CIO, CTO, or both
in some organization.
I Chief Information Security Officer (CISO) As defined in section 148 of the MORB, the CISO is an
executive with sufficient authority within an institution, who
is responsible and accountable for the organization-wide
information security program.
I IT Risk Officer Officer in charge of IT risk. This is not a mandatory position
and will be used only for statistical and informational
purposes.

Page 1 of 21
Sheet Field Name Format Input Type Description
I IT Compliance Officer in charge of IT compliance. This is not a mandatory
position and will be used only for statistical and informational
purposes.
I IT Audit Officer in charge of IT audit. This is not a mandatory position
and will be used only for statistical and informational
purposes.
I Primary in-charge of E-Banking Officer primarily in charge of electronic banking strategies
and operations. This is not a mandatory position and will be
used only for statistical and informational purposes.
I Primary in-charge of E-Money Officer primarily in charge of electronic money strategies and
operations. This is not a mandatory position and will be used
only for statistical and informational purposes.
I Input fields – Information to be provided
for the above Standard Designation/
Responsibility
I Status Text Select from List Select whether the position is:
(1) manned,
(2) vacant, or
(3) N/A, if not available in the entity.
I Full Name Text Manual Input Full name of the officer with the following format “Last
Name, First Name, Middle Initial”. Input N/A if not applicable.
I Official Designation in the BSFI Text Manual Input Official designation of the officer in the BSFI, which may be
the same or different from the “Standard
Designation/Responsibility” defined in the IT profile template.
Input N/A if not applicable.
I Email Address Text Manual Input Office email address of the officer. Input N/A if not
applicable.
I Date Appointed Date Manual Input The effective date of appointment to a position. Input N/A if
not applicable.
I Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
I I.B. Organizational Structure and
Composition
I Information Technology Unit in charge of establishing, monitoring, and maintaining
information technology systems and services.

Page 2 of 21
Sheet Field Name Format Input Type Description
I Information Security Unit in charge of implementing and maintaining organization-
wide information security policies, standards, guidelines, and
procedures.
I Cybersecurity Unit in charge of the protection against cyber-threats.
I IT Risk Unit in charge of IT risk, which is normally a sub-unit under
the risk management function.
I IT Compliance Unit in charge of IT compliance, which is normally a sub-unit
under the compliance function.
I IT Audit Unit in charge of IT audit, which is normally a sub-unit under
the audit function.
I Input fields – Information to be provided
for the above organization or unit
I Service Provider Text Select from List Select whether the IT Service Provider is:
(1) The BSFI Itself,
(2) Parent / Regional Offices,
(3) Subsidiary / Affiliate,
(4) Third Party, or
(5) Others
A BSFI may utilize a combination of the choices. In this cases,
the dominant IT Service Provider or those supporting core
functions and processes should be selected. For example,
software development is outsourced to a third party while
other functions are in-house, the BSFI may select “The BSFI
Itself”. However, in case IT oversight is performed in-house
while others are performed by the Parent or Third Party, then
“Parent” or “Third Party” should be selected.
I Full-Time Employee; Vacant FTE Number Manual Input Input the headcount or “0” if none/not applicable. It is
Positions; Part-Time Employee; possible that a headcount may perform multiple functions. In
Consultants; Outsourced that case, this headcount should have a separate count per
organizational unit. E.g. An IT officer concurrently function as
a cybersecurity officer, in this case the officer will be counted
twice, one under IT and another under Cybersecurity.
I Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
I I.C. IT Oversight Committee

Page 3 of 21
Sheet Field Name Format Input Type Description
I Official Name of the Primary Oversight Text Manual Input • Input details of the IT Oversight Committee or N/A if not
Committee for IT, Head and Members applicable.
• Add row can be used in case the space provided is not
sufficient.
• In case there are multiple oversight committees for IT,
select the committee assigned to oversee the IT strategy.
I II. IT/IS/CYBERSECURITY OPERATIONS
II II.A. Cybersecurity Test and Evaluations Note: These information are for survey/profiling purposes
only and not used as a basis for compliance with regulations
II Self-Assessment Date Manual Input An activity conducted by the specific business line or
department that typically captures their awareness of the
level of risk and effectiveness of controls concerning their
own business processes and functions. Input the latest date
of completion or not applicable if not conducted.
II Independent VAPT Date Manual Input The activity conducted by a third party which involve the
identification of security vulnerabilities in systems and
network usually through the use of automated vulnerability
scanners and subjecting a system or network to simulated or
real-world attacks that exploit vulnerabilities under
controlled conditions. Input the latest date of completion or
not applicable if not conducted.
II Compromise/breach assessment Date Manual Input The type of assessment that address advanced malwares and
threats with capabilities to evade traditional monitoring
systems. Input the latest date of completion or not
applicable if not conducted.
II Red-teaming exercise Date Manual Input A more in-depth type of penetration testing which continually
challenges the organization’s defenses and controls against
cyber-attacks. The red team is composed of highly trained
specialists, acting on adversarial mode, which may be the
BSFI’s own independent employees or third-party experts.
The end objective is to improve the state of readiness of the
entire organization in cases of cyber-attacks. Input the latest
date of completion or not applicable if not conducted.
II II.B. Security Note: These information are for survey/profiling purposes
Practices/Tools/Devices/Technologies only and not used as a basis for compliance with regulations

Page 4 of 21
Sheet Field Name Format Input Type Description
II Security Operations Center (SOC) Y/N List A security operations center (SOC) provide round-the-clock
monitoring and real-time analysis of security incidents and
cyber-related events.
II Cyber threat intelligence and Y/N List Cyber threat intelligence is what cyber threat information
collaboration becomes once it has been collected, evaluated in the context
of its source and reliability, and analyzed through rigorous
and structured tradecraft techniques by those with
substantive expertise and access to all-source information,
while collaboration or information sharing allows BSFIs to
enhance threat intelligence/ situational awareness that
enable quick identification, prevention, and response to
emerging and persistent threats.
II Administrator Multi-Factor Y/N List Multifactor authentication (MFA) is a security system that
Authentication (MFA) requires more than one method of authentication from
independent categories of credentials to verify the user's
identity for a login or other transaction.
II Anti-DDOS Y/N List Specifically, DDoS protection works by using algorithms and
advanced software to monitor incoming traffic to the
website. Any traffic that isn't legitimate is denied access,
whereas legitimate traffic continues to filter through to the
site. DDoS protection options generally guard against attacks
up to certain size.
II Anti-phishing Y/N List Anti-phishing software consists of computer programs that
attempt to identify phishing content contained in websites, e-
mail, or other forms used to accessing data (usually from the
internet) and block the content, usually with a warning to the
user (and often an option to view the content regardless).
II Anti-spam Y/N List Refers to any software, hardware or process that is used to
combat the proliferation of spam or to keep spam from
entering a system.
II Anti-virus Y/N List Antivirus software, originally designed to detect and remove
viruses from computers, can also protect against a wide
variety of threats, including other types of malicious
software, such as keyloggers, browser hijackers, Trojan
horses, worms, rootkits, spyware, adware, botnets and
ransomware.

Page 5 of 21
Sheet Field Name Format Input Type Description
II Data Loss Prevention (DLP) Y/N List Data loss prevention (DLP) is a set of tools and processes used
to ensure that sensitive data is not lost, misused, or accessed
by unauthorized users. DLP also provides reporting to meet
compliance and auditing requirements and identify areas of
weakness and anomalies for forensics and incident response.
II Fraud Management System Y/N List Fraud Management System provide standardized processes
that integrate large quantities of transactional data allowing
to monitor, control, manage and optimize processes,
ensuring revenue assurance and risk management in real
time.
II Intrusion Detection System (IDS) Y/N List An Intrusion Detection System (IDS) is a network security
technology originally built for detecting vulnerability exploits
against a target application or computer.
II Intrusion Prevention System (IPS) Y/N List An intrusion prevention system (IPS) is a form of network
security that works to detect and prevent identified
threats. Intrusion prevention systems continuously monitor
your network, looking for possible malicious incidents and
capturing information about them.
II Network Access Control Y/N List Network Access Control (NAC) is an approach to computer
security that attempts to unify endpoint security technology
(such as antivirus, host intrusion prevention, and vulnerability
assessment), user or system authentication
and network security enforcement.
II Network Firewall Y/N List Network firewalls are security devices used to stop or
mitigate unauthorized access to private networks connected
to the Internet, especially intranets. The only traffic allowed
on the network is defined via firewall policies – any other
traffic attempting to access the network is blocked.
II Security Information and Event Y/N List Security Information and Event Management (SIEM) is a set
Management (SIEM) of tools and services offering a holistic view of an
organization's information security. SIEM tools provide: Real-
time visibility across an organization's information
security systems. Event log management that consolidates
data from numerous sources.
II Unified Threat Management (UTM) Y/N List A unified threat management (UTM) system is a type of
network hardware appliance, virtual appliance or cloud

Page 6 of 21
Sheet Field Name Format Input Type Description
service that protects businesses from security threats in a
simplified way by combining and integrating
multiple security services and features.
II Virtual Private Network (VPN) Y/N List A virtual private network (VPN) is programming that creates a
safe, encrypted connection over a less secure network, such
as the public internet.
II Web Application Firewall (WAF) Y/N List A web application firewall monitors and filters traffic to and
from your website, blocking bad actors while safe traffic
proceeds normally. With a team of security researchers
continuously updating virus definitions and threat profiles,
you gain peace of mind that your protection remains up to
date.
II Input field
II In place Text Manual Input (Y/N) Select “Yes” if in place or “No” if not yet implemented
or ongoing implementation
II II.C. Adoption/Implementation of Note: These information are for survey/profiling purposes
Technologies/Processes only and not used as a basis for compliance with regulations
II API Consumer of Partner API Y/N List The BSFI uses an API, which is not exposed to the public, of a
partner based on the contractual relationship or agreement
between both parties.
II API Consumer of Public API Y/N List The BSFI uses an API which is exposed for public use.
II API Provider for Internal Use Y/N List The API developed by the BSFI is for internal use only.
II API Provider for Public Use Y/N List The API developed by the BSFI is exposed to the public.
II API Provider for Use of Partners Y/N List The API developed by the BSFI is for use of partners only,
based on the contractual relationship or agreement between
both parties.
II Artificial Intelligence Y/N List Artificial intelligence (AI), also known as machine intelligence,
is a branch of computer science that aims to imbue software
with the ability to analyze its environment using either
predetermined rules and search algorithms, or pattern
recognizing machine learning models, and then make
decisions based on those.
II Big Data Analytics Y/N List Big data analytics is the often-complex process of examining
large and varied data sets, or big data, to uncover information
such as hidden patterns, unknown correlations, market

Page 7 of 21
Sheet Field Name Format Input Type Description
trends and customer preferences that can help
organizations make informed business decisions.
II Blockchain Y/N List A growing list of records, called blocks, that are linked using
cryptography.
II Bring Your Own Device (BYOD) Y/N List Bring your own device (BYOD) refers to employees who bring
their own computing devices - such as smartphones, laptops
and tablet PCs - to work with them and use them in addition
to or instead of company-supplied devices.
II Cloud Computing Y/N List On-demand availability of computer system resources,
especially data storage (cloud storage) and computing power,
without direct active management by the user.
II DevOps Y/N List DevOps (development and operations) is an enterprise
software development phrase used to mean a type of agile
relationship between development and IT operations. The
goal of DevOps is to change and improve the relationship by
advocating better communication and collaboration between
these two business units.
II Quick Response (QR) Code Y/N List A machine-scannable image that can instantly be read using a
Smartphone camera. Every QR code consists of a number of
black squares and dots which represent certain pieces of
information.
II Robotics Process Automation Y/N List Robotic process automation (RPA) is the use of software with
artificial intelligence (AI) and machine learning capabilities to
handle high-volume, repeatable tasks that previously
required humans to perform. These tasks can include queries,
calculations and maintenance of records and transactions.
II SDLC Agile Model Y/N List Agile SDLC model is a combination of iterative and
incremental process models with focus on process
adaptability and customer satisfaction by rapid delivery of
working software product. Agile Methods break the product
into small incremental builds. These builds are provided in
iterations.
II Virtualization of Servers Y/N List Server virtualization is a virtualization technique that involves
partitioning a physical server into a number of small,
virtual servers with the help of virtualization software.

Page 8 of 21
Sheet Field Name Format Input Type Description
In server virtualization, each virtual server runs multiple
operating system instances at the same time.
II Input field
II In place Text Manual Input (Y/N) Select “Yes” if in place or “No” if not yet implemented
or ongoing implementation
II II.D. Standards Compliance and Note: These information are for survey/profiling purposes
Certifications only and not used as a basis for compliance with regulations
II COBIT Text List COBIT stands for Control Objectives for Information and
Related Technology. It is a framework created by the ISACA
(Information Systems Audit and Control Association) for IT
governance and management.
II ISO 22301 Text List ISO 22301 is the international standard for Business
Continuity Management (BCM). It provides a practical
framework for setting up and managing an effective business
continuity management system. That aims to safeguard an
organization from a wide range of potential threats and
disruptions.
II ISO 9001 Text List ISO 9001 is defined as the international standard that
specifies requirements for a quality management system
(QMS). Organizations use the standard to demonstrate the
ability to consistently provide products and services that
meet customer and regulatory requirements.
II ISO/IEC 27001 Text List ISO 27001 (formally known as ISO/IEC 27001:2005) is a
specification for an information security management system
(ISMS). An ISMS is a framework of policies and procedures
that includes all legal, physical and technical controls involved
in an organization’s information risk management processes.
II PCI-DSS Text List The Payment Card Industry Data Security Standard is an
information security standard for organizations that handle
branded credit cards from the major card schemes. The PCI
Standard is mandated by the card brands but administered
by the Payment Card Industry Security Standards Council.
II Input field
II Adoption Text Select from List Select whether the Adoption is:
(1) Certified,
(2) Practiced, or
Page 9 of 21
Sheet Field Name Format Input Type Description
(3) N/A
II II.E. Datacenter Location Information
II Head Office The main administrative center for a company or
organization.
II Primary Datacenter A data center is a highly fault-tolerant facility where an
organization houses all its servers, networking components,
and infrastructure.

II Disaster Recovery Datacenter A disaster recovery (DR) site is a facility an organization can
use to recover and restore its technology infrastructure and
operations when its primary data center becomes
unavailable.
II Offsite Tape Backup Remote backup location that houses physical storage of
backup tapes, disks or other media.
II Input fields
II Datacenter/Service Provider Text Select from List Select whether the Datacenter/Service Provider is:
or Manual Input (1) BSFI (Own Datacenter),
(2) Cloud Service Provider (CSP),
(3) DataOne Asia,
(4) Eastern Communications,
(5) ePLDT,
(6) Globe,
(7) IBM,
(8) IPC (IP Converge Data Services, Inc.),
(9) NTT Communications,
(10) TIM (Total Information Management),
(11) Others, or
(12) N/A

If a CSP is utilized, select the corresponding CSP from the pre-

defined list.
II Location Text Select from List Select whether the Location is:
or Manual Input (1) PH – NCR,
(2) PH - Region I,
(3) PH – CAR,
(4) PH - Region II,

Page 10 of 21
Sheet Field Name Format Input Type Description
(5) PH - Region IV-A,
(6) PH - Region IV-B,
(7) PH - Region V,
(8) PH - Region VI,
(9) PH - Region VII,
(10) PH - Region VIII,
(11) PH - Region IX,
(12) PH - Region X,
(13)PH - Region XI,
(14) PH - Region XII,
(15) PH - Region XIII,
(16) PH – BARMM,
(17) Africa,
(18) Asia,
(19) Europe
(20) North America
(21) South America
(22) Antartica, or
(23) Australia

II Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
II II.F. Environmental Controls
II Automated Fire Suppression System Automatic fire suppression systems control and
extinguish fires without human intervention.
II Automatic Temperature and Humidity Automatic control for temperature and humidity inside the
Control datacenter.
II CCTV / Surveillance Camera CCTV or surveillance camera inside and around strategic
locations in the datacenter.
II Door Lock with Access Card Use of access cards for door lock
II Door Lock with Biometrics Use of biometrics for door lock
II Door Lock with PIN/Password Use of pin pad and numeric or alphanumeric combination for
door lock
II Fire Extinguisher A fire extinguisher is an active fire protection device used to
extinguish or control small fires, often in emergency
situations.

Page 11 of 21
Sheet Field Name Format Input Type Description
II Heat and Smoke Detector Smoke and Heat detectors are self-contained units that
incorporate a means of detecting fire (smoke or heat) and
giving a warning (alarm).
II Power Generator A power generator is, as its name implies, a device capable of
generating energy in case of main power outage.
II Uninterrupted Power Supply (UPS) A device that provides battery backup when the electrical
power fails or drops to an unacceptable voltage level.
II Water Leak Detection Detection system for water leak.
II Input fields
II Primary Datacenter Test Manual Input (Y/N/NA) Select “Yes” if control is available, “No” if not
available and N/A if not applicable (in case outsourced to a
CSP)
II Disaster Recovery Datacenter Text Manual Input (Y/N/NA) Select “Yes” if control is available, “No” if not
available and N/A if not applicable (in case outsourced to a
CSP)
II II.G. Internet Service Providers
II Bayan Telecommunications Pre-defined internet service provider in the Philippines.
II Converge ICT Pre-defined internet service provider in the Philippines.
II Eastern Communications Pre-defined internet service provider in the Philippines.
II Globe Pre-defined internet service provider in the Philippines.
II PLDT Pre-defined internet service provider in the Philippines.
II RISE Pre-defined internet service provider in the Philippines.
II SKY Pre-defined internet service provider in the Philippines.
II Input fields
II Primary Datacenter Text Select from List Select whether the Primary Datacenter is:
or Manual Input (1) Primary,
(2) Secondary,
(3) Both,
(4) Other, or
(5) N/A
II Disaster Recovery Datacenter Text Select from List Select whether the Disaster Recovery Datacenter is:
or Manual Input (1) Primary,
(2) Secondary,
(3) Both,
(4) Other, or
(5) N/A
Page 12 of 21
Sheet Field Name Format Input Type Description

II Head Office Text Select from List Select whether the Head Office is:
or Manual Input (1) Primary,
(2) Secondary,
(3) Both,
(4) Other, or
(5) N/A

III III. IT/IS Outsourcing

III Outsourced Service Text Select from List Select whether the Outsourced Service is:
or Manual Input (1) Application/software development, support, or
management,
(2) Archival and storage of data and records,
(3) Business continuity and disaster recovery functions and
activities,
(4) Cybersecurity operations,
(5) Database development/management,
(6) Datacenter co-location,
(7) Datacenter operations,
(8) Desktop support,
(9) Information systems hosting,
(10) IT managed services,
(11) Maintenance of server/hardware/equipment,
(12) Network support,
(13) Project management,
(14) Software quality assurance,
(15) Technical support/help desk, or
(16) Other
III Name of Vendor / Service Provider Text Manual Input The official name of the vendor as registered in SEC or
defined in the contract. Note that only CRITICAL (based on
BSFI internal policies, which should be aligned with existing
regulations) vendors and service providers should be included
in the list including those vendors/service providers that
REQUIRE BSP APPROVAL (e.g. cloud service providers).
Additional vendors may be added using the add row button.
III Description of Service Text Manual Input Type of service provided by the vendor / service provider.

Page 13 of 21
Sheet Field Name Format Input Type Description
III Type of Outsourcing Text Select from List Select whether the Type of Outsourcing is:
or Manual Input (1) Intra-group outsourcing (Branch/subsidiaries to Head
Office),
(2) Intra-group outsourcing (Head Office to
Branch/Subsidiaries),
(3) Third-party offshore outsourcing,
(4) Third-party local outsourcing, or
(5) Others
III Cloud Model (for outsourcing to CSP) Text Select from List Select whether the Type of Outsourcing is:
or Manual Input (1) Infrastructure as a Service (IaaS),
(2) Platform as a Service (PaaS), or
(3) Software as a Service (SaaS)
IV IV. APPLICATION SYSTEMS
IV Application/Software –Name Text Manually Input Name of the application system/software. If multiple
application systems are used for a process (e.g. multiple GL
systems are used), use the add row button and select the
type of application system from the dropdown list.
IV Application/Software –Version Text Manually Input Version of the application system/software
IV Solutions Provider/ Developer Text Manually Input The vendor/developer/integrator of the application
system/software that provides maintenance/customization. If
the software maintenance/customization is done internally,
“NONE” should be inputted in this column.
IV O/S Name Text Select from List Select whether the O/S Name is:
or Manual Input (1) CentOS,
(2) ClearOS,
(3) HP-UX,
(4) IBM AIX,
(5) IBM i (OS/400, i5/OS),
(6) IBM z/OS,
(7) IBM z/TPF,
(8) IBM z/VSE,
(9) macOS (Mac OS X, OS X),
(10) Oracle Linux,
(11) Red Hat Enterprise Linux (RHEL),
(12) Solaris,

Page 14 of 21
Sheet Field Name Format Input Type Description
(13) SUSE Enterprise Linux (SLES),
(14) Ubuntu,
(15) Unix, or
(16) Windows

The operating system (O/S) where the application/software is

running. It is acceptable to indicate the most critical O/S if
several O/S are used. If multiple O/S are critical, create
another line item at the end of the table and define the other
O/S for the same application. Manually input if not yet
available in the list.
IV O/S Version Text Manually Input Indicate the O/S version installed as of the cutoff date
indicated in the IT profile.
IV DB Name Text Select from List Select whether the DB Name is:
or Manual Input (1) ADABAS,
(2) Amazon Aurora,
(3) Apache Cassandra Database,
(4) Azure SQL Database,
(5) FileMaker,
(6) Firebird,
(7) IBM DB2,
(8) Informix,
(9) Ingres,
(10) MariaDB,
(11) Microsoft Access,
(12) Microsoft SQL Server,
(13) MongoDB,
(14) MySQL,
(15) Oracle Database,
(16) PostgreSQL,
(17) Redis,
(18) SAP HANA,
(19) SAP Sybase ASE,
(20) SQLite, or
(21) Teradata

Page 15 of 21
Sheet Field Name Format Input Type Description
The database (DB) of the application/software. It is
acceptable to indicate the most critical DB if several DB are
used. If multiple DBs are critical, create another line item at
the end of the table and define the other database for the
same application. Manually input if not yet available in the
list.

The DB name listing may not comprehensively cover the

exact name of the database license being used by the BSFI. In
these cases, additional information should be defined in the
DB version field. (e.g. Oracle Database 11g Release 2
(11.2.0.2.0) Enterprise Edition, in this case select “Oracle
Database” in the DB Name and input “11g Release 2
(11.2.0.2.0) Enterprise Edition” in the version)
IV DB Version Text Manually Input Indicate the DB version installed as of the cutoff date
indicated in the IT profile.
IV Integration to Core Text Select from List Define how the application/software’s data is integrated to
the core system, which may be:
(1) Real-time,
(2) Batch processing or manual, or
(3) Not integrated

IV Replication to DR Site Text Select from List Define how the real-time replication is used:
(1) Real-time,
(2) Batch processing or manual,
(3) Not applicable, or
(4) Other

IV Recovery Point Objective (RPO) Number Manual Input Recovery point objective (RPO) describes a period of time in
which an enterprise's operations must be restored following a
disruptive event, e.g., a cyberattack, natural disaster or
communications failure.
IV Recovery Time objective (RTO) Number Manual Input The Recovery Time Objective (RTO) is the duration of time
and a service level within which a business process must be
restored after a disaster in order to avoid unacceptable
consequences associated with a break in continuity.

Page 16 of 21
Sheet Field Name Format Input Type Description
IV Changes Text Manual Input Identification of the type of change in the system for the
report period. Note that this should include changes on the
application, operating system, and database.

Select whether change is:

(1)Major,
(2)Minor, or
(3)None

IV Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
V V. ELECTRONIC / DIGITAL AND OTHER
CHANNELS
V V.A. Count of Information
COMMUNICATION AND Technology (ICT)
V Servers Number Manual Input A server is a computer that provides data to other computers.
V Workstations (Laptop / Desktop) Number Manual Input A workstation is a special computer designed for technical or
scientific applications. Intended primarily to be used by one
person at a time, they are commonly connected to a local
area network and run multi-user operating systems.
V Network devices (Limit to router, switch, Number Manual Input Network devices are what connect computers and various
and gateway) other electronic devices together. This connection allows
the devices to share files or use resources.
V API endpoints (Limit to APIs provided to Number Manual Input Count of API endpoint or the point at which an application
external parties) program interface (API) -- the code that allows two software
programs to communicate with each other -- connects with
the software program. This is applicable only to APIs provided
by the BSFI.
V API integrated systems (Limit to APIs Number Manual Input Count of systems integrated to external parties through APIs.
provided to external parties)
V V.B Count of Customers and Customers
Accounts
V Satellite Offices (Limit to network Number Manual Input Satellite Office is a branch or office of the BSFI that is
connected branches and offices) physically separate from the organization's main office.
V Registered agent outlets Number Manual Input Agent outlets registered with the BSFI, regardless of being
active or inactive.
Page 17 of 21
Sheet Field Name Format Input Type Description
V Active agent outlets Number Manual Input Active or operational agent outlets
V V.C. Availability of E-Services on E-
Banking Facilities
V Retail Internet Banking Retail banking, also known as consumer banking or
personal banking, is banking that provides financial services
to consumers as individuals not businesses.
V Corporate Internet Banking Corporate Internet Banking provides electronic payment and
financial services for corporate clients through the web.
V Mobile Banking thru Mobile App Mobile banking refers to the use of a smartphone or other
cellular device to perform online banking tasks while away
from your home computer, such as monitoring account
balances, transferring funds between accounts, bill payment
and locating an ATM.
V Mobile Banking thru SMS or USSD Unstructured Supplementary Service Data (USSD) allows
users without a smartphone or data/internet connection to
use mobile banking.
V Phone Banking Telephone banking is a service provided by a bank or other
financial institution, that enables customers to perform over
the telephone a range of financial transactions which do not
involve cash or Financial instruments (such as cheques),
without the need to visit a bank branch or ATM.
V Chatbot A chatbot is a computer program that simulates human
conversation through voice commands or text chats or
both. Chatbot, short for chatterbot, is an Artificial Intelligence
(AI) feature that can be embedded and used through any
major messaging applications.
V Social Media Messaging Social media messaging is a platform for interaction among
individuals where they can communicate, share knowledge
and ideas, create and exchange information within a
virtual network.
V Input fields
V Available / Offered Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Intrabank Transfer Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available

Page 18 of 21
Sheet Field Name Format Input Type Description
V PESONet Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V InstaPay Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Check Deposit Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Cardless Withdrawal Text Manual Input ((Y/N) Select “Yes” if service is available or “No” if not
available
V Bills Payment Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Loans Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Investment Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Others Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
V Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
V V.D Participation in Electronic Payment
System Network
V Affiliated Switch Network (ASN) An interbank network, also known as an ATM consortium
or ATM network, is a computer network that
enables ATM cards issued by a financial institution that is a
member of the network to be used to
perform ATM transactions through ATMs that belong to
another member of the network.
V Bancnet BancNet Online is an online banking facility which allows ATM
cardholders to enjoy the convenience and security of making
banking transactions without the hassle of going to bank
branches or payment centers. (Bancnetonline.com)
V Bureau of Treasury - Registry of Scriptless Registry of script less securities
Securities (BTr RoSS)
V Check Imaging and Clearing System (CICS) Check Image Clearing System (CICS) It is the new
automated clearing system operated by the
Philippine Clearing House Corporation (PCHC), where
information on the check and its image are digitally captured

Page 19 of 21
Sheet Field Name Format Input Type Description
by the Bank receiving the check deposit and presented
electronically to the paying Bank.
V Independent ATM Deployer An independent ATM deployer (IAD) is a non-financial
institution that owns, manages, and places ATMs (cash
machines) in retail premises or elsewhere.
V Philippine Domestic Dollar Transfer The PDDTS is a local clearing and electronic
System (PDDTS) communications system operated by the BAP, the PCHC and
Citibank, Manila. It provides the banking industry with a
facility to move US dollar funds from one Philippine bank to
another on the same day, without having to go through
correspondent banks in the US. (bsp.gov.ph)
V Real-time Gross Settlement PhilPaSS is the acronym for Philippine Payment and
(RTGS/PhilPaSS) Settlement System, a real time gross settlement (RTGS)
system owned and operated by the Bangko Sentral ng
Pilipinas (BSP) that processes and settles interbank high value
payment transactions of banks through the demand deposit
accounts of the bank maintained with the BSP.
V Renminbi Transfer System (RTS) RMB Transfer System (RTS) is a service for Participating Banks
and their clients to send and receive RMB payments
and transfers in real-time within the Philippines and to and
from global payment systems. (pds.com.ph)
V Society for Worldwide Interbank The Society for Worldwide Interbank Financial
Financial Telecommunication (SWIFT) Telecommunication, legally S.W.I.F.T. SCRL, provides a
network that enables financial institutions worldwide to send
and receive information about financial transactions in a
secure, standardized and reliable
environment. (Wikipedia.com)
V Input field
V Participant Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
VI VI. BUSINESS CONTINUITY AND DISASTER
RECOVERY
VI Bankwide Business Continuity Plan (BCP) Business continuity planning (BCP) is the process involved in
creating a system of prevention and recovery from potential
threats to a company. The plan ensures that personnel and

Page 20 of 21
Sheet Field Name Format Input Type Description
assets are protected and are able to function quickly in the
event of a disaster.
VI Departmental/Unit BCP Business continuity plan of each department or unit
VI Disaster Recovery Plan (DRP) a documented process or set of procedures to execute an
organization's disaster recovery processes and recover and
protect a business IT infrastructure in the event of a disaster.
VI Pandemic Plan The goal of the pandemic planning process is to minimize
serious illness and mortality, and to reduce societal
disruption in the population during an influenza pandemic.
VI Cyber Resilience Plan A plan to ensure that a BSFI can manage a cyberattack or data
breach while continuing to operate its business effectively.
VI Input fields
VI Available Text Manual Input (Y/N) Select “Yes” if service is available or “No” if not
available
VI Date Last Updated Date Manual Input Define the date the plans are last updated
VI Date Last Tested Date Manual Input Define the date the plans are last tested
VI Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
VII VII. PRODUCT/SERVICE BRANDING
VII Product/Service Type Text List Select whether the Product/Service Type is :
(1) Retail Internet Banking
(2) Corporate Internet Banking Mobile Banking
(3) Prepaid/Cash Card
(4) Credit Card
(5) Virtual Asset
VII Product/Service Name Text Manual Input BSFI defined name, label, brand for the product or service
VII Remarks Text Manual Input Input other relevant information not captured by the
template or may affect the analysis of the data provided
VIII VIII. ADDITIONAL INFORMATION
VIII Reference Text Manual Input Specify the section of this template with comments or
additional information. E.g. I.B, II.G, IV, etc.
VIII Comments Text Manual Input Input additional information/comments/clarification in
relation to the responses to the template.

Page 21 of 21