MAS Technology Risk Management (TRM) Guidelines 2021
文章推薦指數: 80 %
The MAS TRM Guidelines 2021 set out regulations for Financial Institutions in Singapore focused on cyber resilience, software development and cloud. Home Solutions OurWork Insights AboutPragma Careers ContactUs VictorChin 4monthsago Shareonlinkedin Shareontwitter Shareonfacebook Shareonemail Shareonreddit MASTechnologyRiskManagement(TRM)Guidelines2021:TheCompleteGuideforFinancialServices ThelatestMASTechnologyRiskManagementGuidelines(TRMG)wasreleasedonthe18thofJanuary2021,8yearssincethelastmajorreleasein2013.Inthisarticle,webreakdownkeychangesthatFinancialInstitutionsneedtoknowtocomplywiththenewGuidelines. WhatistheMASTRMGuidelines2021about? TheMASTRMGuidelines2021setoutregulationsforFinancialInstitutionsinSingaporefocusedoncyberresilience,softwaredevelopmentandcloud.ItisanodtothedigitaltransformationshappeningamongstFinancialInstitutionsaroundtheworld. TraditionalFinancialInstitutions(FIs)arenowpressuredtoevolveliketechnologycompanies.JPMorganChasechairmanandCEO,JamieDimonnotedFinTechsbeinganenormouscompetitivethreattobanksinhisannualshareholderletterreleasedthisyear2021. JPMorganChaseAnnualShareholderLetter2021 Tokeepup,traditionalFIseitherdevelopcomplexfinancialservicesandapplicationsfortheirconsumersorintegrateserviceswithFinTechs.Eitherway,therearetechnologyrisksinvolved. Whatarethetop10keyupdatesinMASTRM2021? TheMASTRMGuidelines2021stressesthefollowingareas,whichwedetailmoreinthispost: 1.IncreasedRoleofBoardandSeniorManagement 2.ITProjectManagement 3.SoftwareApplicationDevelopment andManagement 4.RemoteAccessManagement 5.BringYourOwnDevice(BYOD) 6.DataandInfrastructureSecurity 7.CybersecurityOperations 8.CyberExercises 9.PenetrationTesting 10.OnlineFinancialServices WhoneedstocomplywiththeMASTRMGuidelines? TheGuidelinesapplytoalllicencedfinancialinstitutionsandtheirserviceproviders,suchas: FundingandInvestmentRelatedCompanies ApprovedCISTrusteeDealinginCapitalMarketsProducts ProductFinancingProvidingCustodialServicesLicensedFundManagementCompany RegisteredFundManagementCompany VentureCapitalFundManagementCompanyCorporateFinanceAdvisoryREITManagementCreditRatingAgencySecuritiesCrowdfunding LicensedTrustCompany InsuranceCompaniesandReinsurers DirectInsurer(Life) DirectInsurer(General)DirectInsurer(Composite)Reinsurer(Life) Reinsurer(General)Reinsurer(Composite)CaptiveInsurer Lloyd’sAsiaSchemeFinancialHoldingCompany(Insurance)GeneralInsuranceAgents FinancingCompanies&Banks FinanceCompanyFullBank(Branch)FullBank(LocallyIncorporated) MerchantBank(Branch)MerchantBank(LocallyIncorporated) WholesaleBank(Branch)WholesaleBank(LocallyIncorporated) FinancialHoldingCompany Credit&PaymentsRelatedCompanies&Banks Credit/ChargeCardIssuerDesignatedPaymentSystemOperatorDesignatedPaymentSystemSettlementInstitutionCreditandChargeCardLicenseeMajorPaymentInstitutionStandardPaymentInstitutionMoney-changingLicensee MarketOperators&,FinancialExchange MarketsandExchangesClearingHouseTradeRepositoryBenchmarkAdministrator/SubmitterCentralSecuritiesDepositoryHoldingCompanyofExchangeorClearingHouse Reference:MonetaryAuthorityofSingapore Note:FIsneedtoconductgapanalysistodetermineanynon-compliancetotheMASTRMrequirements.Anynon-complianceasaresultofimplementationdifficultiesneedstobedocumentedandexplainedwithmitigatingcontrolsplaced. Onthird-partyrisks,therearealsoexpectationsforserviceprovidersofFIstohavesecureandresilientsystems.WewillexplainmoreaboutthatinExpectationsforServiceProviders. Whatarethetop10keyupdatesinMASTRM2021? 1.IncreasedRoleofBoardandSeniorManagement AllmembersoftheBoardofDirectors(BoD)havedirectresponsibilityforoversightoftechnologyrisk.Itisawake-upcallforsomeinstitutionswhoseeITasjustacostfunction. Somekeyrequirementstonoteareasfollows:BoDandSeniorManagementmusthavememberswithknowledgetounderstandandmanagetechnologyrisks.FIsshouldappointaChiefTechnologyOfficerandaChiefSecurityOfficer(orequivalent,forsmallerFIs).BoDshouldhavegovernanceandoversightovertechnologyrisks,includingmakingkeyITdecisions.FIsshouldhaveatechnologyriskmanagementstrategyinplace.BoDshouldundergosecurityawarenesstraining. Fortechnologyandinformationsecurityleaders,MASTRMGuidelines2021presentsanewwindowofopportunitytoengageyourhighermanagementontechnologyandsecuritymatters.ItisessentialtocommunicatewhattheFI’stechnologyrisksare,andmoreimportantly,howitimpactsthebusiness.Itisequallyimportanttopresentaplanofactiontomanagetheserisks. "AllFinancialInstitutionsshouldmovefromasiloedperspectiveandviewtechnologyasanintegralpartofthebusiness." Technologycomeswithcostsandrisks,butitisalsoabusinessenablerthatcanprovidevalueandefficiencyifaproperstrategyisinplace.Itisaculturechangeonthepartofhighermanagementtohaveanopenmindwhenitcomestounderstandingtechnologyopportunities,challenges,andrisks. Thechallengefortechnologyandsecurityprofessionalsistodeliveratechnologyriskmanagementstrategythatclearlyexplainstheimpactonbusinessobjectivesforhighermanagementtounderstandandappreciate. IncreasedRoleofBoardandSeniorManagementUpdatetheBoDChartertoincludetechnologyrisk-relatedresponsibilities.HaveBoDmember/swhoareexperiencedintechnologyriskmanagement.AppointseniortechnologyandsecurityrelatedrolesintheFIwhohavetoreportlinestotheBoDandSeniorManagement.Establishagovernanceprocesstoenableeffectivereportingoftechnologymatterstohighermanagement.ConductsecurityawarenesstrainingforBoDandSeniorManagement—astrategythatclearlyexplainstheimpactonbusinessobjectivesforhighermanagementtounderstandandappreciate. Whatarethetop10keyupdatesinMASTRM2021? 2.ITProjectManagement AnotherkeyfocusisthegovernanceofITprojectsundertakenbyFIs.Thisincludescreatingaprojectcommitteeforlargeandcomplexprojects,clearrequirementsforconductingvendorduediligence,Security-by-Designandaqualitymanagementprocess. Firstandforemost,seniormanagementisexpectedtobeinvolvedinlargeandcomplexITprojectsthatimpactthebusiness.Thisistoensurethatallbusinessandsecurityprojectrisksareadequatelyaddressed. RequirementsforvendorduediligencearemademoreexplicitinMASTRMGuidelines2021.FIsshouldestablishstandardsandproceduresforassessingthesecurityofthevendoranditsapplications.Dependingonthecriticalityoftheapplication,theGuidelinessuggestthattheFIshouldhaveaccesstothesourcecodeofthethird-partysoftware. ThereisalsoanemphasisonSecurity-by-Designthatisinlinewiththeindustrytrendofshiftingsecurityleftofthesoftwaredevelopmentlifecycle.ASecurity-by-Designapproachstreamlinesthedevelopmentofasecureapplication,avoidingthecomplicationsthatnormallyarisefromhavingsecurityasanafterthought. ITProjectManagementEstablishstandardsandproceduresforvendorduediligence.Designsecurearchitectureforsystemsandapplications.Developvendorduediligenceprocessandprocedures.Establishaprojectsteeringcommitteeforlargeandcomplexprojectsthatinvolveskeystakeholdersandseniormanagement. Whatarethetop10keyupdatesinMASTRM2021? 3.SoftwareApplicationDevelopmentandManagement ThesecuredevelopmentofApplicationProgrammingInterfaces(APIs)isthekeyfocushere.MASrecognisesthatfinancialserviceshavebecomeaninterconnectedecosystem.FIswillincreasinglycollaborateandprovidecomplexfinancialservicestoconsumersbyconnectingtoeachothers’systemsusingAPIs. APIsshouldbesufficientlysecureforthefintechecosystemtoflourish.AlthoughAPIsecurityisacomplextopicthatoverlapswithothertechnologydomains,theTRMGuidelines2021sufficientlyexpoundsonkeypoints.Forexample,thegovernanceofthird-partyAPIaccess, securitystandardsforAPIdevelopmentanddesign,strongencryption,APIsecuritytestingduringpre-production,real-timemonitoringofAPIcallsandavailability.AnewrequirementhasbeenintroducedthatrequiresFIstovetcustomerswhowanttoconsumetheirAPIs. SoftwareApplicationDevelopmentandManagementDesign,establishandenforceAPIstandardsduringthesoftwaredevelopmentlifecycle.Developsecuresoftwaredevelopmentlifecycle.Establishpoliciesandprocedurestogovernandmanagethird-partyaccesstoAPIs.EstablishsegregationofdutiesforDevSecOps.Establishsecurecodingpractices,sourcecodereviewsandapplicationsecuritytesting,especiallyifpractisingAgile.Manageend-userapplicationsriskusingwhitelists. Whatarethetop10keyupdatesinMASTRM2021? 4.RemoteAccessManagement TheMASTRMGuidelines2021providesfoundationalregulationsforremoteaccessmanagementthatfocusonsecureauthentication,aswellasthesecurityofthedevicesthatareusedtoremotelyaccessaFI’sinformationassets. Strongauthenticationreferstotheuseofmulti-factorauthentication(MFA)toaddonanotherlayerofprotectiontoensuretheidentityoftheentityrequestingaccesstotheFI’sITenvironment. Industry-acceptedencryptionalgorithmsshouldbeusedtosecurecommunicationchannels,safeguardingtheintegrityofanydataorAPIcalls.TheGuidelineshasanentirechapteroutliningsecuritypracticesoncryptography. FIsshouldalsoensurethatthedevicesusedtoaccesstheirinformationassetshavebeenhardenedandadequatelyprotectedbeforeaccessisgranted.Forexample,devicesshouldhaveendpointprotectionsolutionsinstalledaswellasbesecurelyconfigured.Suchpracticesallowsecureremoteconnectionsbyprotectingphysicalandnetworkinfrastructuresupportingtheremoteconnections. RemoteAccessManagementEstablishprocessesandprocedurestohardendevices.Developasecureidentityandaccessmanagement(IAM)model.Implementendpointprotectionsolutionstoprotectandmonitordevices.Useindustry-acceptedencryptionalgorithmstoprotectcommunicationchannels.Implementmulti-factorauthentication. Whatarethetop10keyupdatesinMASTRM2021? 5.BringYourOwnDevice(BYOD) BringYourOwnDevice(BYOD)referstoemployeesusingpersonaldevicestoaccessbusinessinformationandsystems.BYODisadouble-edgedsword.ItpermitsamobileanddynamicworkforcebutalsointroducessecurityrisksthatshouldbeaddressedbyFIs. Therefore,theGuidelinesrecommendthatFIsrevisetheirBYODpoliciesandprocedureswithsecuritycontrolssuchasMobileDeviceManagement(MDM)orvirtualisationsolutions. MobileDeviceManagement(MDM)solutionscanbeusedtomanageandcontrolmobiledevicesandhavefeaturessuchasstorageencryption,remotewipe,andbaselinesecuritymonitoring.Virtualisationsolutionsallowend-userstoremotelyaccesstheFI’sITsystemsandapplicationsviamobiledevicesthroughavirtualenvironmentorsandbox.WewillexplainmoreaboutVirtualisationinthenextsection. BringYourOwnDevice(BYOD)ImplementMDMand/orvirtualisationsolutions.EstablishBYODpoliciesandproceduresaroundhowpersonaldevicescanbeusedforbusinesspurposes. Whatarethetop10keyupdatesinMASTRM2021? 6.DataandInfrastructureSecurity ThenewGuidelinesemphasiseendpointprotection,withMASrecommendinghardeningofendpointsinlinewithindustrybestpractices,suchasCenterforInternetSecurity(CIS)Benchmarks. Thisincludessecureconfigurationsaswellastheimplementationandmaintenanceofendpointprotectionsolutions. ThenetworksecuritysectionrecommendstheuseofNetworkIntrusionProtectionSystemsandNetworkAccessControl(NACs)todetectandblockmalicioustrafficalongwithmoretraditionalnetworksecuritydeviceslikefirewalls.Thesedevicesshouldconstantlybekeptupdated. LikeBYOD,theMASTRMGuidelines2021introducedVirtualisationTechnologyforthefirsttime.Appropriatepoliciesandprocedurestomanagevirtualmachinesandsnapshotsshouldbeimplemented.Accesstohypervisorsandsystemhostinghypervisorsshouldberestricted. TheGuidelinesalsobroughtupsandboxedbrowsingandIoTSecurity.Sandboxedbrowsingmeans“isolatinginternetwebbrowsingactivitiesfromitsendpointdevices”.Inshort,itprotectsyourcomputerfromtheharmfuleffectsofbrowsing. AsforIoTSecurity,IoTdevicesneedtobehardened,andIoTnetworksneedtobesegregatedfromnetworksthathosttheFI’sdataandsystems. DataandInfrastructureSecurityReviewyoursecurityarchitectureandensureNetworkIntrusionPreventionSystems(NIPS)andNetworkAccessControl(NAC)aresetupeffectively.ReviewyourITenvironmentsandsecurityarchitecturetodefineclearzonesthatpreventattackersmovement.Evaluatetheinternetbrowsersinuseandsandboxbrowsingforimplementation.Ensurepolicy,standardsandaccesscontrolsareimplementedforthelifecycleofvirtualimages,snapshotsandtheuseofhypervisors.SegregateIoTdevicesfromyourcoreoperationsandsubjectthemtosecuritytestingandsecuritycontrols(e.g.accesscontrolandsecuritymonitoring). Whatarethetop10keyupdatesinMASTRM2021? 7.CybersecurityOperations FIsarehighlyencouragedtoprocurecyberintelligencemonitoringservicesandparticipateincyberthreatinformation-sharingarrangements. Threatintelligenceincludes,butisnotlimitedto,servicesthatkeeptheFIsupdatedonthelatestmalware,systemvulnerabilitiesaswellasTactics,TechniquesandProcedures(TTPs)usedbyAdvancedPersistentThreat(APT)groupstargetingFIs. FIsshouldalsoparticipateinorsubscribetocyberintelligencesharingplatformslikeFS-ISAC,IT-SAC,SingCert,orCVE.SuchactivitieshelptoimprovetheresilienceofFIsagainstcyberattacks. Otherrecommendationsincludethecapabilitytodetectandrespondtomisinformationpropagatedviatheinternetaswellasestablishingcyberincidentresponsecapabilities. CybersecurityOperationsSubscribetoorparticipateinISACsandCertsaswellasothercommercialalternatives.Developthreatandvulnerabilitymanagementprograms.Procurethreatintelligencemonitoringservices.Developincidentresponsecapabilities.Establishpoliciesandprocedurestodealwithmisinformationpropagatedviatheinternet. Whatarethetop10keyupdatesinMASTRM2021? 8.CyberExercises Anotherareatoexploreistoparticipateinscenario-basedcyberexercisesbasedonthreatintelligence,includingsocialengineering,table-topexercises,andadversarialattacksimulationexercises.SuchexercisesallowFIstotesttheirdetectionandresponsecapabilitiesaswellastheirdecision-makingduringarealcrisis. CyberExercisesConductscenario-basedcyberexercisesinvolvingkeystakeholdersandseniormanagement.Conductadversarialattacksimulationexercises. Whatarethetop10keyupdatesinMASTRM2021? 9.PenetrationTesting MASTRMGuidelines2021callsforpenetrationtesting(PT)ofinternet-facingsystemstobeconductedatleastannuallyorafteramajorchange.Additionally,itrecommendsthatpenetrationtestingbeconductedinproductionenvironments. Morenotably,asasignofchangingtimes,theGuidelinesendorsebugbountyprogramsasanacceptablemethodtocomplementanFI’svulnerabilityandpenetrationtestingprogram. PenetrationTestingReviewthescopeofpenetrationtestingtoincludeinternalandproductionsystems.Conductpenetrationtestsannuallyorafteramajorchange. Whatarethetop10keyupdatesinMASTRM2021? 10.OnlineFinancialServices OnlineFinancialServicesincludenewrequirementstoactivelymonitorphishingcampaignsagainsttheusersofyourservices,encryption,digitalsignatures,applicationsandboxing,devicerootprotectionandmobileapplicationsecurity. TheGuidelinesalsocoverimplementingCustomerAuthenticationandTransactionSigningrequirementssuchasMFA,transactionsigning,adaptiveauthentication,time-basedOTPs,biometrics,softtokens,sessionprotection,maker-checkerfunctions,andsecurecredentialstorage Next,let’stalkaboutreal-timefraudmonitoringsystems.Whilethisisacommonpracticeinsomeareassuchascreditcardtransactions,theMASTRMGuidelines2021hasexpandedthescopetoincludeanyonlinetransaction.Thisisasignificantnewrequirementforservicesthatdon’talreadydothis. OnlineFinancialServicesReviewthescopeofpenetrationtestingtoincludeinternalandproductionsystems.Conductpenetrationtestsannuallyorafteramajorchange. OtherAreasofEmphasis NowthatwearedonewiththeTop10KeyFocusAreas,wecantouchuponotherareasthatshouldalsobeaddressed. Establishaproperriskmanagementframework ThenameoftheGuidelinesimpliesthatRiskManagementisakeyconcept.MASencouragesarisk-basedapproachintheadoptionoftheTRMGuidelineswhenassessingcompliance.Inshort,FIsshouldhaveamechanisminplacetoidentify,assess,treatandmonitortheirrisks. ImplementYourPoliciesandKeepTrackofCompliance PoliciesandproceduresshouldnotbeamerepieceofadocumentbutshouldratherdrivetheconsistentimplementationofcontrolstoprotecttheFI’sassetsandhelpachievebusinessobjectives. InsureYourselfAgainstCyberRisk MASnowrequiresFIstotaketechnologyriskinsurance.Financialprotectionaside,insurancegivesFIsaccesstoapanelofexpertssuchaslawyersandforensicspecialiststohelpinrespondingtocyberincidentsmoreeffectively. KnowYourAssetsandAssignAccountability FIsshouldstartwithunderstandingtheirassets,wheretheyare,andwhohasaccesstothem.Itisalsoimportanttoassesstheirimpactontheorganisationsuchthatbetterdecisionscanbemadeontherightlevelofprotection.Assetsmusthaveassignedownerswhoareresponsibleforensuringthatassetsareproperlymanagedthroughouttheirlifecycle. ConductBackgroundChecks EstablishaResilientArchitectureandTestforRecovery BackgroundscreeningofpersonnelwithaccesstoFI’ssystemsanddata,includingthirdparties,isneededtosupporthiringdecisionsbasedoncandidatesuitability,andtoprotectagainstoperationalrisks. FIsshouldalsodocumentrecoveryplansandtesttheseperiodicallyusingplausibledisruptionscenarios.Finally,FIsshouldaimtooperatefromarecoveryoralternatesetupforanextendedperiodforamorerelevanttest. WhataretheMASTRMGuidelines2021expectationsforserviceproviders? FinancialInstitutionsareincreasinglyreliantonserviceproviderstoperformbusiness-criticalactivities,whichintroducesrisk.Therefore,TRMGuidelines2021setoutseveralexpectationsforserviceproviderstosecurelyandreliablysupportFIs. StringentDueDiligence FIsareexpectedtoconductstringentduediligenceonserviceproviderstoensurethattheydonotposeanyunnecessaryriskstotheFIs.Theseduediligenceexercisesareholisticandincludemanyaspectsoftechnologyriskmanagement.Serviceprovidersshouldalsoconsiderundertakingindustry-recognisedsecuritycompliancecertificationsandattestationslikeISO27001andSOC2TypeIItohelpensuretheyhavetherightcontrolframeworkandcandemonstrablymeetthisduediligence. CompetencyandBackgroundChecks Serviceprovidersarealsoexpectedtoprovethattheiremployeesarecompetentandsufficientlyskilledforthetask.Thiscanbefulfilledbyprovidingprofessionaldevelopmentopportunitiesliketrainingandcertifications.Backgroundchecksshouldalsobeconductedonthestaffofserviceproviders.Thisreducesanyrisksrelatedtoinsiderthreats. DisasterRecoveryCapability Topromotearesilientfinancialservicesecosystem,FIsandtheirserviceprovidersshouldhaveadvanceddisasterrecoverycapabilities.Serviceprovidersshouldhavedisasterrecoverypoliciesandproceduresinplace.DisasterrecoverytestingandarrangementsshouldbecarriedoutatregularintervalstoensurethattargetRTO(RecoveryTimeObjective)andRPO(RecoveryPointObjectives)aremet.Additionally,disasterrecoverytestingshouldbeacoordinatedeffortbetweenserviceprovidersandtheFItotroubleshootanypotentialproblemsduringanactualdisasterrecoverysituation. SystemSecurity ServiceprovidersmanaginganysystemsonbehalfofFIsshouldensurethatthesesystemsareappropriatelyprotectedandadheretotheFI’ssystemsecuritystandards.Theserviceprovidershouldconductsystemhardeningactivitiestomeettheapplicablesecuritystandards.Additionally,reputableendpointprotectionsolutionsshouldalsobeinstalled.TheseactivitieshelpsecurethesoftwaresecuritysupplychainasallsystemswithaccesstotheFI’sITenvironmentaswellassystemsmanagedbyserviceprovidersareappropriatelysecured. InterconnectedEcosystem TheMASalsoexpectsFIsandserviceproviderstoworkclosertogetherforamoreresilientfinancialservicesecosystem.ServiceprovidersareexpectedtoundergosecurityawarenesstrainingprogramsconductedbytheFIsaswellasbepartoftheFI’scyberexercises,ifapplicable.Suchpartnershipwillfosteramoredynamicandcloserworkingrelationshipwhichwillbecrucialintimesofcrisis. Takeaways WithtechnologyplayingsuchacrucialroleinFinancialInstitutions,seniormanagementandtheBoardofDirectorsneedtobemoreinvolvedandmustunderstandtechnologyriskintheever-changingcyberthreatlandscape. ThereisanincreasedemphasisonsecuredevelopmentpracticesandAPIsecurity.Thisincludesa‘shift-left’wherethesecurityrequirementsofanyITprojectshouldbeconsideredatthebeginningofthedesignphase. Adaptingtofast-changingtimes,BugBountyprogramsarenowalegitimatecomplementtoPenetrationTestingprogramsinFIs. Securitycontrolsandcybertoolingarealsomoreprescriptive.TheemphasisontoolsandpracticesimprovestheresilienceofFIsinSingaporebyimprovingtheircapabilitiestodetect,respondandrecoverfromcyberattacks. ViewtheoriginalMASTRMGuidelines2021here. NextSteps DownloadourchecklistforFinancialInstitutionstostaycompliantwiththeMASTRMGuidelines2021. Alternatively,speaktousifyouneedhelpwithcomplyingwithMASTRM.Bookanintroductorycallwithoneofourconsultants. Bookanobligation-freeconsultationhere. AbouttheAuthor NewInsights:ReadtheMASTRM2021-CompleteGuideforFinancialServices LearnMore Thisisdefaulttextfornotificationbar Learnmore
延伸文章資訊
- 1Best practice management guidelines for fibrous dysplasia ...
Fibrous Dysplasia / McCune Albright syndrome (FD/MAS) represents a wide spectrum of diseases due ...
- 2Regulations and Guidance - Monetary Authority of Singapore
- 3Regulation - Monetary Authority of Singapore
- 4Singapore: MAS Guidelines on Individual Accountability and ...
The guidelines by the MAS focus on five high-level outcomes for financial institutions to promote...
- 5MAS Guidelines on Individual Accountability and Conduct
These guidelines will have different impacts on Singapore-incorporated banks and insurance compan...