WHITEPAPER FIREMON COMPLIANCE WITH THE TECHNOLOGY RISK MANAGEMENT GUIDELINES FROM MONETARY AUTHORITY OF SINGAPORE By: Jim D. Hietala, CISSP, GSEC, Open FAIR Compliance Research Group
Table of Contents Executive Overview...3 Overview of the Technology Risk Management Guidelines...3 FireMon Product Summary...5 and FireMon Compliance Summary...5 Conclusion...12 About the Author... 13 About FireMon... 13
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 3 Executive Overview Complying with the 12 guidelines and 6 appendicies of the Monetary Authority of Singapore Technology Risk Management Guidelines () requires a detailed understanding of the guidelines and implementation of security controls that can mitigate risks. These include controls that will manage, enforce, and report on compliance to policies in IT infrastructure equipment such as firewalls, routers, and switches. This whitepaper describes the, and its importance and impact in Singapore and throughout Southeast Asia. The paper also describes those security controls in the FireMon family of IT security products that provide effective mitigation of risks to ensure that enterprises meet the security guidelines found in the. By providing capabilities that facilitate compliance with a large percentage of the technical security controls identified in sections 4, 7, 9, 11, 12, 14, and Appendices A and D, FireMon s products help address half of the guidelines and add significantly to the ability of financial institutions and other organisations to comply with the and to effectively secure their customer financial information and IT systems. Overview of the Technology Risk Management Guidelines Published by the Monetary Authority of Singapore (MAS), the is aimed at financial institutions in Singapore. While not mandatory, compliance with the guidelines is something that the financial regulators consider in their risk assessments of financial institutions. In addition, given the leadership shown by the MAS in developing and issuing the guidelines, the best practices described in the have been adopted by other sectors and by organisations outside of Singapore in Southeast Asia. As such, they are a highly influential set of guidelines and recommendations with which to reduce risk in IT systems. The has three primary goals, which are to assist organisations in: Establishing a sound and robust technology risk management framework; Strengthening system security, reliability, resiliency, and recoverability; Deploying strong authentication to protect customer data, transactions, and systems. The contains 12 major sections and 6 appendicies: (3) OVERSIGHT OF TECHNOLOGY RISKS BY BOARD OF DIRECTORS AND SENIOR MANAGEMENT (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK (5) MANAGEMENT OF IT OUTSOURCING RISKS (6) ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS Description This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. In this section, the MAS specifies the essential elements of a risk framework to be implemented by affected financial institutions (FIs). The section describes numerous key requirements that FIs must address in their risk framework, including in the areas of protection for information system assets, identification of risks, assessment of risks, risk treatment, and risk monitoring and reporting. 5 covers best practices for due diligence when vetting outsourcing providers and understanding the particular security implications of cloud computing. This section provides requirements related to the procurement of IT hardware and software, as well as software development security issues (including code review and system test requirements) and project management requirements.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 4 Description (7) IT SERVICE MANAGEMENT In 7, service management issues such as change management, release management, incident and problem management, and capacity management are described. (8) SYSTEMS RELIABILITY, AVAILABILITY This section describes requirements for reliability, availability, and recoverability of IT systems AND RECOVERABILITY and infrastructure. It documents requirements for disaster recovery, data backup, and redundant equipment for failover. (9) OPERATIONAL INFRASTRUCTURE This section presents key requirements for technical security controls that aim to protect SECURITY MANAGEMENT customer information and other information assets. Included are requirements for user authentication, access controls, firewalls, data loss prevention, data protection both for data at rest on endpoints and for data in motion, encryption, and network and security configuration management. The section further describes requirements for wireless security, vulnerability assessments, penetration tests, vulnerability management, patch management, security monitoring, and logging and auditing. (10) DATA CENTRES PROTECTION AND 10 provides requirements for data centre protection and security. This includes CONTROLS performing threat and vulnerability risk assessments and deploying physical security controls to ensure the resiliency and operation of the facility. (11) ACCESS CONTROL This section of the describes access controls aligned with fundamental security principles (never alone principle, segregation of duties, and access control/principle of least privilege). It also mentions access management, user privilege management for both insiders and for contractors, password controls and policies, and restrictions on concurrent access to both production and backup data. 11 also describes numerous controls for privileged users. (12) ONLINE FINANCIAL SERVICES 12 is specific to online financial services. It segments online into different categories (information, interactive information, and transactional service), and guides FIs to assess risks for these services appropriately. Numerous controls specific to online services are provided to ensure the confidentiality, integrity, and availability of these systems. These include encryption, logical segmentation of networks, monitoring and surveillance of activity, anti- DDoS measures, two-factor authentication, and customer security awareness education. (13) PAYMENT CARD SECURITY 13 describes security controls specific to payment cards. From a security requirements (AUTOMATED TELLER MACHINES, CREDIT standpoint, this section recommends safeguards to protect sensitive payment card data from AND DEBIT CARDS) magnetic strips, and it calls for one-time password implementations for internet-based card transactions. It also requires ATM physical security measures and anti-fraud controls. (14) IT AUDIT The IT Audit section of the identifies how the IT audit function should be organised and governed, and it gives recommendations for audit frequency and scope. APPENDIX A: SYSTEMS SECURITY TESTING A more detailed set of recommendations and requirements regarding testing of software, AND SOURCE CODE REVIEW systems and networks is described in this appendix. APPENDIX B: STORAGE SYSTEM RESILIENCY This appendix describes requirements for the resiliency of IT storage systems. APPENDIX C: CRYPTOGRAPHY The specific recommendations regarding the use of cryptographic algorithms and standards are provided here. APPENDIX D: DISTRIBUTED DENIAL-OF- Recommendations to maintain availability and continuity of operation in the face of SERVICE PROTECTION attempted DDoS attacks are provided here. APPENDIX E: SECURITY MEASURES FOR More detailed recommendations for security controls for online services are detailed in this ONLINE SYSTEMS appendix. APPENDIX F: CUSTOMER PROTECTION AND Describes measures the FIs should undertake to educate customers on security threats. EDUCATION
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 5 The includes requirements that span people, processes, and technological controls. Many areas of the specify people and process controls, where technological solutions aren t useful or applicable. From the summary table on the previous page, FireMon s products provide key capabilities that help FIs to address many of the technology control requirements in the. This includes significant coverage of compliance requirements found in sections 4, 7, 9, 11, 12, 14. The FireMon products also help address compliance requirements found in appendices A and D. For reference, the complete Technology Risk Management Guidelines from MAS is available on their website 1. A helpful compliance checklist for MAS is also available on their website 2. FireMon Product Summary FireMon provides a range of products that help organisations to better manage their IT infrastructure and understand risks from network access configuration. The FireMon Security Manager platform provides constant visibility into network security enforcement, the impact of policy change, and the exposure of vulnerable systems to attack, allowing organisations to optimize their existing defenses and focus remediation on truly critical IT risks. FireMon Risk Analyzer provides attack vector analysis, continuous attack surface monitoring, pre-change risk analysis, and network security enforcement gap analysis. FireMon Policy Planner provides rule recommendations, and allows network managers to manage the rule change process, perform policy change impact analysis, and continuous policy compliance assessment. Requirements and FireMon Compliance Summary The mapping table below includes the specific reference, the requirement language, and explanatory text describing how the relevant FireMon product helps FIs to meet the requirement. Note that this table does not contain the full set of sections and requirements, focusing on 6 of the 12 where the FireMon products either directly enable compliance, or support efforts to comply. (4) TECHNOLOGY RISK MANAGEMENT FRAMEWORK 4.0.1 b. Identification and prioritisation of information system assets 4.0.1 c. Identification and assessment of impact and likelihood of current and emerging threats, risks, and vulnerabilities This section of the ensures that boards of directors and senior management are responsible for risk management. It also establishes the requirement for policies, standards, and procedures that support the risk management framework, and for compliance processes that support the framework. In addition, it suggests security awareness programs and requirements. FireMon risk reports help managers understand where the highest network security risks are due to reachable assets with known vulnerabilities. 1 http://www.mas.gov.sg/~/media/mas/regulations%20and%20financial%20stability/regulatory%20and%20supervisory%20framework/risk%20management/ TRM%20Guidelines%20%2021%20June%202013.pdf 2 http://www.mas.gov.sg/~/media/mas/regulations%20and%20financial%20stability/regulatory%20and%20supervisory%20framework/risk%20management/ TRM_Checklist
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 6 4.0.1 d. Implementation of appropriate practices and controls to mitigate risks 4.0.1 e. Periodic update and monitoring of risk assessment to include changes in systems, environment or operating conditions that would affect risk analysis. 4.1.1 Information system assets are adequately protected from unauthorised access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure. 4.1.2 The criticality of information system assets is ascertained and appropriate plans are developed to protect them. 4.2.4 Mutating and growing risks are monitored vigilantly. 4.3.3 A threat and vulnerability matrix is developed to assess the impact of threat to the organisation s IT environment, and to prioritise IT risks. 4.4.1 For each type of risk identified, risk mitigation and control strategies that are consistent with the value of the information system assets and level of risk tolerance are developed and implemented. Controls and security policies deployed through FireMon Security Manager are intended to mitigate risks. These include policies and firewall rulesets and baseline configurations that are deployed to network firewalls. New rules can be pretested for compliance before deploying them. The product also reports on changes to rules that have moved firewalls out of compliance with policy. Baseline policies are assessed in real time, and managed and controlled before any new implementation of a service or application. FireMon Security Manager reports on firewall rule changes, as well as changes to risks over time. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed. Attack path analysis and identification reports from FireMon can be used in the face of attacks to determine which assets are at risk and to plan network changes and new firewall rules to protect assets. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help network security risks, and plan effective mitigation.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 7 4.4.3 Priority is given to threat and vulnerability pairings with high-risk ranking which could cause significant harm or impact to the organisation s operations. 4.5.1 Risks of the highest severity are accorded top priority and monitored closely with regular reporting on the actions that have been taken to mitigate them. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. A monitoring and review process for continuous assessment and treatment of risks is instituted. 4.5.2 IT risk metrics are developed to highlight the systems, processes, or infrastructure that have the highest risk exposure. 4.5.3 Past risk-control methods are re-evaluated with renewed testing and assessment of the adequacy and effectiveness of risk management processes. (7) IT SERVICE MANAGEMENT 7.1.1 A change management process is established to ensure that changes to production systems are assessed, approved, implemented, and reviewed in a controlled manner. 7.1.2 The change management process applies to changes pertaining to system and security configurations, patches for hardware devices, and software updates. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Risk reporting from FireMon can help prioritise network security risks and plan effective mitigation. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 8 7.1.3 Prior to deploying changes to the production environment, an assessment of whether the introduced change would spawn security implications or software compatibility problems to affected systems or applications is performed. 7.2.2 Separate physical or logical environments for systems development, testing, staging, and production are established. 7.3.10 A root-cause and impact analysis is performed for major incidents which result in severe disruption of IT services. Remediation actions are taken to prevent the recurrence of similar incidents. 7.3.12 a. ii. Root cause analysis where did it happen? 7.3.12 a. iii. Why and how did the incident happen? 7.3.12 c. ii. Measures to address the root cause of the incident. 7.3.12 c. iii. Measures to prevent similar or related incidents from occurring. Pre-change analysis can help determine the effect of rule changes on security and risk before committing the changes to network devices. Firewalls typically are used to maintain separation between test and production environments. FireMon helps manage rules for both environments and can evaluate network security policies and the impacts of changes across both. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. FireMon reporting capabilities, including attack path analysis, risky protocols, ports, and services, devices with failed controls, and firewall verification reports, provide the deep view into network security policy configuration required to perform root cause analysis of network traffic. (9) OPERATIONAL INFRASTRUCTURE SECURITY MANAGEMENT 9.0.1 Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. that access to IT systems is protected and that rules involving risky protocols, ports, and services are identified and properly managed.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 9 9.0.2 Security solutions are implemented at the data, application, database, operating systems, and network layers to adequately address and contain threats. Measures are implemented to protect sensitive or confidential information such as customer personal, account, and transaction data that are stored and processed in systems. 9.1.1 Important data are identified and adequate measures are adopted to detect and prevent unauthorised access, copying, or transmission of confidential information. 9.1.3 Measures are implemented to address risks of data theft, data loss and data leakage from endpoint devices, customer service locations, and call centres. 9.1.4 Measures are implemented to prevent and detect the use of unsafe internet services within the organisation. 9.1.6 Confidential information stored on IT systems, servers and databases are encrypted and protected through strong access controls, bearing in mind the principle of least privilege. 9.2.1 An up-to-date inventory of software and hardware components used in the production and disaster recovery environments is maintained. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. This can include blocking unsafe internet services across the network. that access to IT systems is protected, and that rules involving risky protocols, ports, and services are identified and properly managed. Policies developed in FireMon, and deployed in firewalls, can manage access to prevent unauthorized access and transmission of sensitive information. The FireMon asset inventory report provides information on all security and network assets in use across the entire network.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 10 9.2.3 Effective risk mitigation controls are established where necessary. 9.3.1 IT systems and devices are configured with security settings that are consistent with the expected level of protection. Baseline standards are established to facilitate consistent application of security configurations to operating systems, databases, network devices, and enterprise mobile devices within the IT environment. 9.3.2 Regular enforcement checks are conducted to ensure that baseline standards are applied uniformly and noncompliances are detected and raised for investigation. 9.3.4 Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Network security devices, such as firewalls as well as intrusion detection and prevention systems, are installed at critical junctures to protect network perimeters. Rules on network security devices are regularly backed up. Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy. FireMon Risk Measurement, Risk Recommendations, and Risk Scoring reports help identify where risk exists, and how best to mitigate it. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon continuous assessment reports including traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services details and can determine regular baseline security behaviors checks. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure they are consistently applied throughout the IT infrastructure. FireMon also provides backups for firewall rules, and manages deployment of rulesets to network devices. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 11 9.4.1 Rules on network security devices are regularly reviewed to determine their appropriateness and relevancy. 9.4.2 Automated tools and manual techniques are used to perform a vulnerability assessment. 9.4.4 Penetration tests on internet-facing systems are conducted at least annually. 9.6.3 Security monitoring tools which enable the detection of changes to critical IT resources such as databases, system or data files and programs, are implemented to facilitate the identification of unauthorised changes. (11) ACCESS CONTROL 11.1.1 User access to IT systems and networks is granted on a need-to-use basis and within the period when the access is required. (12) ONLINE FINANCIAL 12.0.3 Risks associated with SERVICES different types of services provided over the internet are clearly identified in the risk management process. 12.1.1 A security strategy is devised and measures are put in place to ensure the confidentiality, integrity, and availability of data and systems. FireMon Security Manager allows IT managers to establish consistent policies for firewalls and network devices, and to ensure that they are consistently applied throughout the IT infrastructure. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can inform needed and planned changes to firewall rules. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer, as a part of a larger vulnerability assessment. Reporting on traffic flow, attack path, global drop firewall rule, and risky ports, protocols, and services, firewall rules with any, and firewall rules with large sources or destinations can help to identify vulnerabilities that exist at the network layer. While not a direct part of a penetration test, these reports will be critical to understanding how penetration tests were successful, and how best to address the security weaknesses. For network security devices, FireMon monitors and flags changes to firewall rule configurations, and manages changes to firewall rulesets. Logical access to IT resources is controlled at the network layer through the deployment of firewalls. FireMon Security Manager manages the access rules in firewalls across the network. FireMon risk reports describe network access risks, including those related to assets supporting online services. Fundamental to ensuring CIA for online services is understanding risks and attack paths for assets used in online IT systems. FireMon identifies these through extensive reporting, and provides the ability to consistently deploy security policies to network devices throughout the network.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 12 12.1.4 Physical and logical access security are implemented to allow only authorised staff to access systems. 12.2.4 Adequate safeguards are implemented to protect sensitive or confidential information used for mobile online services and payments. FireMon manages the network access to IT systems to ensure that only authorised staff are allowed access to systems. FireMon ensures that consistent security policies are deployed throughout the network to secure access to sensitive data. The processing of sensitive or confidential information is performed in a secure environment. (14) IT AUDIT 14.1.1 The scope of IT audit is comprehensive and includes all critical IT operations. APPENDIX A: SYSTEMS A.1.1 Rigorous testing of SECURITY TESTING AND systems is conducted to SOURCE CODE REVIEW verify the security, reliability and availability of systems under normal and extreme conditions. APPENDIX D: DISTRIBUTED D2.2 Devices such as DENIAL-OF-SERVICE application and network PROTECTION firewalls, network and hostbased intrusion detection/ preventions systems, routers and other specialised equipment are installed and configured to alert security staff and divert and/or filter network traffic in real-time once an attack is suspected or confirmed. FireMon supports effective IT audits through numerous reports that describe attack paths, network audit logs, risk measurement and visibility, risky protocols, services and ports, and firewall rule reporting. FireMon supports systems security testing by documenting access and attack paths to network devices. FireMon reports provide visibility into attack vectors/paths, and to the firewall rules that may need modification as a result of attacks. Conclusion Management of network security devices and network access is fundamental to securing IT systems and customer information. It is also a core capability that is critical in meeting the explicit technical control requirements found in the, and in providing supporting information necessary to comply with many of the process-related control requirements of the. FireMon s security products provide extensive capabilities across the requirements. They provide comprehensive coverage of compliance requirements found in s 4, 7, 9, 11, and 12, and Appendices A and D of the.
FireMon Compliance with the Technology Risk Management Guidelines from Monetary Authority of Singapore 13 About the Author Jim D. Hietala, CISSP, GIAC GSEC, and Open FAIR, heads security standards activities for a major IT industry standards group, where he has led the development of a number of IT security and risk industry standards. He is also a principal with Compliance Research Group, a risk and compliance consulting organisation. Jim is an active participant in the SANS Analyst/Expert program. A frequent speaker at industry conferences, he has published numerous articles on information security, risk, and compliance topics in publications including the ISSA Journal, Risk Factor, Bank Accounting & Finance, SC Magazine, and Cutter IT Journal. A security industry veteran, he has held leadership roles at a number of security technology startups. He holds a B.S. in Marketing from Southern Illinois University. About FireMon FireMon is the industry leader in providing enterprises, governments and managed services providers with proactive security intelligence solutions that deliver deeper visibility and tighter control over their network security infrastructure. The FireMon Security Intelligence Platform, including Security Manager, Policy Planner and Risk Analyzer, enables customers to identify network risk, proactively prevent access to vulnerable assets, clean up firewall policies, automate compliance, strengthen security throughout the organization, and reduce the cost of security operations. For more information, visit http://www.firemon.com. CONTACT FIREMON: 8400 W. 110th Street, Suite 400 Overland Park, KS 66210 USA Phone: +1.913.948.9570 Fax: +1.913.948.9571 Email: info@firemon.com
Follow us on Twitter @FireMon Like us on Facebook: www.facebook.com/firemon 8400 W. 110th Street, Suite 400 Overland Park, KS 66210 USA Phone: 1.913.948.9570 E-mail: info@firemon.com www.firemon.com FireMon and the FireMon logo are registered trademarks of FireMon, LLC. All other product or company names mentioned herein are trademarks or registered trademarks of their respective owners. Copyright FireMon, LLC 2014 rev031914