Embedded Files
Technology Risk Management Guidelines
The aim of the MAS (Monetary Authority of Singapore)Technology Risk Management Guidelines (hereafter referred as “the Guidelines”) is to promote the adoption of sound and robust practices for the management of technology risk.
The technology landscape of the financial sector is transforming at a rapid pace and the underlying information technology (IT) infrastructure supporting financial services has grown in scope and complexity in recent years. Many financial institutions (FIs) are riding the wave of digitalisation to increase operational efficiency and to deliver better services to consumers.
To Comply with MAS (Monetary Authority of Singapore) TRM guidelines - There are 13 different sections and under each section certain guidelines to comply.
Technology Risk Governance and Oversight
Technology Risk Management Framework
IT Project Management and Security-by-Design
Software Application Development and Management
IT Service Management
IT Resilience
Access Control
Cryptography
Data and Infrastructure Security
Cyber Security Operations
Cyber Security Assessment
Online Financial Services
IT Audit
Requirements under each category :
1. Technology Risk Governance and Oversight
Ø Board of directors and senior management should have members with the knowledge to understand and manage technology risks, which include risks posed by cyber threats.
Ø The board of directors and senior management should ensure a Chief Information Officer, Chief Technology Officer or Head of IT, and a Chief Information Security Officer or Head of Information Security1, with the requisite expertise and experience, are appointed. The appointments should be minimally approved by the Chief Executive Officer.
Ø The board of directors and senior management should ensure a technology risk management strategy is established and implemented.
Ø The board of directors and senior management should ensure key IT decisions are made in accordance with the FI’s risk appetite.
Ø This includes (a) Policies, Standards and Procedures (b) Management of Information Assets (c) Management of Third Party Services and (d) Security Awareness and Training .
2. Technology Risk Management Framework
3. IT Project Management and Security-by-Design
Ø A project management framework should be established to ensure consistency in project management practices, and delivery of outcomes that meets project objectives and requirements. The framework should cover the policies, standards, procedures, processes and activities to manage projects from initiation to closure.
Ø Form Project Steering Committee to maintain large and complex projects that impact the business.
Ø The FI should establish a framework to manage its system development life cycle (SDLC).The framework6 should clearly define the processes, procedures and controls.
4. Software Application Development and Management
Secure Coding, Source Code Review and Application Security Testing
It is essential for the FI to establish a comprehensive strategy to perform application security validation and testing.
Source code review is a systematic and methodical examination of the source code of an application.
FI should continue to incorporate the necessary SDLC and security-by-design principles throughout its Agile process.
Perform Source Code review ( i,e. SAST,DAST,IAST ..etc) and fix all this defects before deploy into production.
5. IT Service Management
Ø A robust IT service management framework is essential for supporting IT services and operations, tracking information assets, managing changes, responding to incidents, as well as ensuring the stability of the production IT environment.
Ø Consider below all this part of IT Service Management, Most of the organization is following below with help of ticketing tools :
Configuration Management
Patch Management
Change Management
Incident Management
Problem management
Software Release Management
6. IT Resilience
Ø System Availability : Maintaining system availability is crucial in achieving confidence and trust in the FI’s operational capabilities. IT systems should be designed and implemented to achieve the level of system availability that is commensurate with its business needs.
Ø Testing of Disaster Recovery Plan : various plausible disruption scenarios, including full and partial incapacitation of the primary or production site and major system failures
Ø System Backup and Recovery : The FI should establish a system and data backup strategy, and develop a plan to perform regular backups so that systems and data can be recovered in the event of a system disruption or when data is corrupted or deleted.
Ø System Availability : Maintaining system availability is crucial in achieving confidence and trust in the FI’s operational capabilities. IT systems should be designed and implemented to achieve the level of system availability that is commensurate with its business needs.
Ø Data Centre Resilience : The FI should ensure adequate redundancy for the power, network connectivity, and cooling, electrical and mechanical systems of the DC to eliminate any single point of failure. Consideration should be given to the following:
Examples: Flooding, fire, natural disasters, acts of terrorism, electricity surge, electromagnetic and electrical interference, etc.
7. Access Control
Ø User Access Management : The principles of ‘never alone’,15 ‘segregation of duties’,16 and ‘least privilege’17 should be applied when granting staff access to information assets so that no one person has access to perform sensitive system functions.18 Access rights and system privileges should be granted according to the roles and responsibilities of the staff, contractors and service. providers.
Ø The FI should establish a password policy and a process to enforce strong password controls20 for users’ access to IT systems.
Ø Multi-factor authentication21 should be implemented for users with access to sensitive system functions to safeguard the systems and data from unauthorised access.
Ø The FI should subject its service providers, who are given access to the FI’s information assets, to the same monitoring and access restrictions on the FI’s personnel.
Ø Multi-factor authentication21 should be implemented for users with access to sensitive system functions to safeguard the systems and data from unauthorised access.
Ø Privileged Access Management : Strong password controls should include a change of password upon first logon, minimum password length and history and password complexity. 21 Multi-factor authentication refers to the use of two or more factors to verify a user’s claimed identity. Such factors include, but are not limited to: (a) something that the user knows such as a password or a PIN number; (b) something that the user has such as a cryptographic identification device or token; and (c) something that the user is such as his biometrics or behaviour.
Ø Remote Access Management : The FI should ensure remote access to the FI’s information assets is only allowed from devices that have been secured according to the FI’s security standards.
8. Cryptography
Example - suppose we take a plaintext message, "hello," and encrypt it with a key; let's say the key is "2jd8932kd8." Encrypted with this key, our simple "hello" now reads "X5xJCSycg14=", which seems like random garbage data. However, by decrypting it with that same key, we get "hello" back.
Plaintext + key = ciphertext:
hello + 2jd8932kd8 = X5xJCSycg14=
Ciphertext + key = plaintext:
X5xJCSycg14= + 2jd8932kd8 = hello
This is an example of symmetric cryptography, in which only one key is used. In public key cryptography, there would instead be two keys. The public key would encrypt the data, and the private key would decrypt it.
Here are some common uses of cryptography:
Financial transactions and online banking: Online banking and ecommerce websites use advanced encryption techniques to keep financial information safe.
SSL-secured websites: A website with an SSL certificate creates a secure, encrypted connection to protect information passing from your browser to the website’s server.
VPNs: A VPN is a security tool that redirects web traffic through a private server and encrypts the connection.
Can Quantum computing change Crypto-Agility for Post-Quantum Cryptography ?
Current Cryptographic Algorithms
Symmetric Algorithms
AES (Advanced Encryption Standard): Widely used for data encryption, AES is considered secure against quantum attacks. Its adoption is recommended for safeguarding data in the quantum era.
Asymmetric Algorithms
RSA (Rivest–Shamir–Adleman): Vulnerable to Shor's algorithm, RSA encryption is not suitable for post-quantum security.
ECC (Elliptic Curve Cryptography): Vulnerable to quantum attacks, ECC should also be replaced in a post-quantum world.
Post-Quantum cryptography is an emerging field focused on developing cryptographic algorithms that are resilient to quantum attacks. These algorithms rely on mathematical problems that are believed to be difficult for both classical and quantum computers to solve. Unlike classical cryptography, which relies on mathematical problems like factoring large integers or computing discrete logarithms, post-quantum cryptography is based on alternative mathematical foundations, such as lattice-based cryptography, code-based cryptography, and multivariate polynomial cryptography. The primary goal of post-quantum cryptography is to provide encryption, digital signatures, and key exchange mechanisms that are resistant to quantum attacks. While post-quantum cryptography solutions are still being standardized and evaluated, their development is crucial to ensuring the long-term security of digital communication and data protection.
Financial Institution X recognized the importance of crypto-agility early on. They conducted a comprehensive risk assessment, identifying vulnerable encryption algorithms in their systems. They developed a detailed roadmap for transitioning to post-quantum cryptography and initiated a key management overhaul. Financial Institution X actively participates in post-quantum cryptography research and contributes to standardization efforts.
Note : Quantum Computing section not mentioned in MAS TRM guidelines, However this would be the future concept for Cryptography
9. Data and Infrastructure Security
Ø Mainly two components Data Security and Network Security
Ø Data Security : The FI should develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorised access, modification, copying, or transmission of its confidential data, taking into consideration the following
data in motion - data that traverses a network or that is transported between sites
data at rest - data in endpoint devices such as notebooks, personal computers, portable storage devices and mobile devices, as well as data in systems such as files stored on servers, databases, backup media and storage platforms (e.g. cloud).
data in use - data that is being used or processed by a system.
Network Security :
Ø The FI should install network security devices such as firewalls to secure the network between the FI and the Internet, as well as connections with third parties.
Ø To minimise the risk of cyber threats, such as lateral movement and insider threat, the FI should deploy effective security mechanisms to protect information assets. Information assets could be grouped into network segments based on the criticality of systems, the system’s functional role (e.g. database and application) or the sensitivity of the data.
Ø Network intrusion prevention systems should be deployed in the FI’s network to detect and block malicious network traffic.
Ø The FI should implement network access controls to detect and prevent unauthorised devices from connecting to its network
Ø Network access control rules in network devices such as firewalls, routers, switches and access points should be reviewed on a regular basis to ensure they are kept up-to-date. Obsolete rules and insecure network protocols should be removed promptly as these can be exploited to gain unauthorised access to the FI’s network and systems.
More details for Network Security refer Network Security
10. Cyber Security Operations
Ø Three key aspects with this section :
Cyber Threat Intelligence and Information Sharing
Cyber Event Monitoring and Detection
Cyber Incident Response and Management
For more details Cyber Security Event monitoring and detection refer : Cyber Security Event monitoring and detection
For more details Cyber Security Incident response process refer : Cyber Security Incident response process
11. Cyber Security Assessment
Ø The FI should establish a process to conduct regular vulnerability assessment (VA) on their IT systems to identify security vulnerabilities and ensure risk arising from these gaps are addressed in a timely manner. The frequency of VA should be commensurate with the criticality of the IT system and the security risk to which it is exposed.
Vulnerability Assessment (VA) and Penetration Testing (PT) key aspect of this section
For more details VAPT please refer : Vulnerability Assessment and Penetration Testing (VAPT)
12. Online Financial Services
Ø One of the important parameter for Financial Institution (FIs). Examples of online financial services include online banking, mobile banking, phone banking, online trading, mobile/digital wallets and payments, and financial and payment services offered using account and transaction APIs, etc.
Ø The FI should secure its communications channels to protect customer data. This can be achieved through data encryption and digital signatures.
Ø Mobile or other transactions related application should be deliver through proper channel to make available for the customer. From and unauthorized channel apps is always threats for cyber attack.
Ø Multi-factor authentication should be deployed at login for online financial services to secure the customer authentication process. Multi-factor authentication can be based on two or more of the following factors, i.e. what you know (e.g. personal identification number or password), what you have (e.g. one-time password (OTP) generator) and who you are (e.g. biometrics).
Ø When implementing time-based OTPs, the FI should establish a validity period that is as short as practicable to lower the risk of a stolen OTP being used for fraudulent transactions.
Ø Where biometric technologies37 and customer passwords are used for customer authentication, the FI should ensure the biometrics-related data and authentication credentials are encrypted in storage and during transmission
Ø The FI should implement real-time fraud monitoring systems to identify and block suspicious or fraudulent online transactions.
Ø The FI should alert its customers on a timely basis to new cyber threats so that they can take precautionary measures.
This are the few notable points mentioned above, There are many parameter which FI should implement with this.
13. IT Audit
Ø Audit plays an important role to assess the effectiveness of the controls, risk management and governance process in the FI. The FI should ensure IT audit is performed to provide the board of directors and senior management an independent and objective opinion of the adequacy and effectiveness of the FI’s risk management, governance and internal controls relative to its existing and emerging technology risks.
Ø A comprehensive set of auditable areas for technology risk should be identified so that an effective risk assessment could be performed during audit planning. Auditable areas should include all IT operations, functions and processes.
Ø The FI should ensure its IT auditors have the requisite level of competency and skills to effectively assess and evaluate the adequacy of IT policies, procedures, processes and controls implemented.
There are few additional parameter have added with the requirements
Application Security Testing
BYOD Security
Mobile Application Security
This steps are defined based one MAS published guidelines -
Publish by : cyber-tech-knowledge
Google Sites
Report abuse