MAS revises Technology Risk Management Guidelines to ...
文章推薦指數: 80 %
The revised Guidelines focus on addressing technology and cyber risks amid the growing use of cloud technologies, application programming ... Skiptonavigation Skiptomaincontent(accesskeys) Skiptofooter(accesskeyx) KnowledgeHighlights 1February2021 On18January2021,theMonetaryAuthorityofSingapore(“MAS”)issuedtherevisedTechnologyRiskManagementGuidelines(“Guidelines”)tokeeppacewithemergingtechnologiesandshiftsinthecyberthreatlandscape. TherevisedGuidelinesfocusonaddressingtechnologyandcyberrisksamidthegrowinguseofcloudtechnologies,applicationprogramminginterfacesandrapidsoftwaredevelopmentbyfinancialinstitutions(“FIs”).TheGuidelinesreinforcetheimportanceofincorporatingsecuritycontrolsaspartofFIs’technologydevelopmentanddeliverylifecycle,aswellasinthedeploymentofemergingtechnologies. Rolesandresponsibilitiesofboardofdirectorsandseniormanagement TherevisedGuidelinesprovideadditionalguidanceontherolesandresponsibilitiesoftheboardofdirectorsandseniormanagement,includingthefollowing: Boththeboardofdirectorsandseniormanagementshouldhavememberswiththeknowledgetounderstandandmanagetechnologyrisks,whichincluderisksposedbycyberthreats. TheboardofdirectorsandseniormanagementshouldensurethataChiefInformationOfficerandaChiefInformationSecurityOfficer,withtherequisiteexperienceandexpertise,areappointed. Theboardofdirectorsandseniormanagementshouldensurethatkeyinformationtechnology(“IT”)decisionsaremadeinaccordancewiththeFI’sriskappetite. Enhancedriskmitigationstrategies TherevisedGuidelinessetoutthefollowingenhancedriskmitigationstrategiesforFIs: Cyberthreatintelligenceandinformationsharing:Tomaintaingoodcybersituationawareness,FIsshouldestablishaprocesstocollect,processandanalysecyber-relatedinformationforitsrelevanceandpotentialimpacttotheFI’sbusinessandITenvironment.Inaddition,FIsshouldprocurecyberintelligencemonitoringservices.Ascyberthreatinformationsharingisanimportantcomponentofcyberresiliencewithinthefinancialecosystem,FIsshouldactivelyparticipateincyberthreatinformation-sharingarrangementswithtrustedpartiestoshareandreceivetimelyandactionablecyberthreatinformation. Stresstestingofcyberdefences:FIsshouldconductcyberexercisestostresstesttheircyberdefencesbysimulatingtheattacktactics,techniques,andproceduresusedbyreal-worldattackers. TheGuidelineshavealsobeenrevisedtoincludeadditionalguidancetomanagerisksarisingfromemergingtechnologies,includingthefollowing: Virtualisationsecurity:FIsshouldensurethatsecuritystandardsareestablishedforallcomponentsofavirtualisationsolution(e.g.thehypervisor,thehostoperatingsystemandtheguestoperatingsystem).Strongaccesscontrolsshouldbeimplementedtorestrictadministrativeaccesstothehypervisorandhostoperatingsystem.FIsshouldalsoestablishpoliciesandstandardstomanagevirtualimagesandsnapshotstoprotecttheseassetsagainstunauthorisedaccessormodification. InternetofThings:FIsshouldmaintainaninventoryofalltheirInternetofThings(“IoT”)devices,includinginformationsuchasthenetworkstowhichtheyareconnectedandtheirphysicallocations.Inaddition,thenetworkthathostsIoTdevicesshouldbesecuredandFIsshouldimplementcontrolstopreventunauthorisedaccesstoIoTdevices. Oversightofarrangementswiththird-partyserviceproviders InlightofFIs’growingrelianceonthird-partyserviceproviders,therevisedGuidelinessetouttheexpectationforFIstoexercisestrongoversightofarrangementswiththird-partyserviceproviders.Onanongoingbasis,FIsshouldensurethatthird-partyserviceprovidersemployahighstandardofcareanddiligenceinprotectingdataconfidentialityandintegrityaswellasensuringsystemresilience. Background TherevisedGuidelinesincorporatefeedbackreceivedfromthepublicconsultationconductedin2019,MAS’engagementwiththeindustry,andMAS’CyberSecurityAdvisoryPanel.MASissueditsresponsetofeedbackreceivedontheconsultationpaperon18January2021. Referencematerials ThefollowingmaterialsareavailableontheMASwebsitewww.mas.gov.sg: Pressrelease:MASenhancesguidelinestocombatheightenedcyberrisks TechnologyRiskManagementGuidelines ResponsetofeedbackreceivedonconsultationpaperonProposedRevisionstoTechnologyRiskManagementGuidelines AnnexestoResponsetofeedbackonconsultationpaperonProposedRevisionstoTechnologyRiskManagementGuidelines Allen&GledhillRegulatory&Compliance Toassistourclientswithcompliancematters,ourconsultancyarm,Allen&GledhillRegulatory&Compliance,providesarangeofservicesandsolutions.Shouldyouhaveanyqueriesrelatingtocomplianceissuesarisingoutofthesedevelopments,pleasecontact: [email protected] Shareviaemail ShareviaLinkedin Perspectives All A&GNews CSRUpdates KnowledgeHighlights Authoredby: AdrianAng Singapore +6568907710 [email protected] FrancisMok Singapore +6568907786 [email protected] CatherineNeo Singapore +6568907195 [email protected] KarenTiah Singapore +6568907741 [email protected] More KnowledgeHighlights 7April2022 IPOSannouncesnewIPOSDigitalHubfrom4May2022,processchangesandfeeupdatesfrom29April2022 Readmore KnowledgeHighlights 30March2022 LegalBulletinMarch2022 Readmore Close Thissiteusescookiesandbyusingthesiteyouareconsentingtothis.Findoutwhyweusecookiesandhowtomanageyoursettings.Moreaboutcookies
延伸文章資訊
- 1MAS Revises Technology Risk Management Guidelines
The Monetary Authority of Singapore (MAS) has recently revised its Technology Risk Management Gui...
- 2Technology Risk Management - The Definitive Guide | LeanIX
- 3What Is Technology Risk? - RiskLens
- 4What is MAS-TRM? - Panorays
MAS-TRM stands for the Monetary Authority of Singapore-Technology Risk Management guidelines. It ...
- 5Mas Technology Risk Management Guidelines | Ideagen
Singapore tightens MAS technology risk management guidelines following wave of cyber security att...