www.pwc.com/sg Technology Risk Management Are you ready?
Contents Food For Thought... Questions 2
Guidelines & Notice New technology risk management guidelines and notice impact: All financial institutions Include all IT systems not just internet facing Non compliance to the Notice may have financial penalties Gap analysis between IBTRM and the proposed TRM guidelines 64% New and Enhanced Requirements 19% No Change 17% Clarifications and Statements The MAS Internet Banking and Technology Risk Management Guidelines have been updated to enhance financial institutions oversight of technology risk management and security practices. 4
Implication of the Notice Framework and process to identify 1 critical systems Recovery Time Objective (RTO) of 2 4 hours for critical systems IT controls to protect customer 3 information High availability for critical systems 4 4 hours of unscheduled downtime Inform MAS of IT security incidents and major systems malfunction within 30 minutes 5 Create a robust risk management framework Test your DR Plans Encrypt customer data Active:Active infrastructure Real time monitoring and reporting procedures 5
TRM Guidelines Key Themes Six themes that were identified that impact your business 1 2 3 4 5 6 TRM Framework and Role of Senior Mgmt. and the Board Enhanced Data Centre Requirements System Availability, Incident and Problem Management Operational Infrastructure Security and Access Management Information Systems Acquisition, Development and Change Management Mobile Online Services 6
Framework and Role of Senior Mgmt. and the Board Key Requirements Senior management involvement in the IT decision-making process Effective IT policies, review and compliance monitoring Implementation of a robust risk management framework Implementation of an employee screening process What you need to consider Effective governance to ensure the board and senior management can make informed decisions? How are local management involved? Repository and process to keep IT policies, procedures up-to-date? Is there a formalised IT risk management framework in place? Do employee screening processes include the third parties? 7
Enhanced Data Centre Requirements Key Requirements Perform Threat and Vulnerability Risk Assessment (TVRA) Perform onsite visits to service providers Include physical and environmental controls for Data Centres Cloud Computing: awareness of risks What you need to consider Define your data centres and classify the critical systems in scope. The TVRA needs to cover all possible scenarios. Detailed contract with provider covering penalties and data sovereignty. 8
System Availability, Incident and Problem Management Key Requirements Redundancies for single points of failures (Cross-border) Recovery time objective (RTO) and recovery point objective (RPO) Recovery plan and testing Incident response procedures Problem management process (root-cause analysis) What you need to consider Are you looking at an Active /Active, or Active/Passive service to meet these guidelines and the Notice. (n+1) Have all critical systems and network components (on and offshore) been included? Do you have a dedicated CERT and a defined plan for security and major incidents? How and who will manage the public announcements and disclosure? 9
Operational Infrastructure Security and Access Management Key Requirements Active management of software and hardware (end of life/support) Baseline standards and enforcement checks for security configurations A robust patch management process Real-time monitoring Never alone principle for critical Reviews of user access management procedures What you need to consider Do you have a documented technology refresh plan and system EOL/EOS inventory? Do your current security practices include file and system integrity monitoring? How does your current patch management process classify patches? Do you have a patch management strategy that works? How has sensitive and administrative activities been restricted and monitored? How effective is your user access management process? 10
Information Systems Acquisition, Development and Change Management Key Requirements A project management framework Specified security requirements SDLC A robust change management End user applications should be developed inline with best practices What you need to consider Do you have an effective project management and governance process over system implementations? Is this consistently applied? Have security requirements been considered in your system development and change management procedures? Do you know what end user tools/spreadsheets/macros are critical to your business? What was the methodology used to develop these tools? 11
Mobile Online Services Key Requirements Similar security measures to online financial systems Identification of fraud scenarios Integrity, authenticity of payment app Encryption of sensitive data Education of customers What you need to consider Does your current security strategy encompass mobile banking applications? Does current risk assessment consider mobile banking fraud, mobile-application? What is sensitive data? Is information other than authentication-specific information encrypted on the local device? 12
What you should consider! Ensure a robust Technology Risk Management framework is in operation to meet your compliance responsibilities Scope Feasibility Ownership Governance Define your scope and risk assess your critical systems Perform a GAP analysis against the proposed TRM guidelines Obtain buy in from key stakeholders Create a robust governance structure that can guide the development of organisation controls 13
Food For Thought...
Food For Thought... Risk Management Regular key stakeholder meetings Find an executive sponsor Consultative/inclusive Senior Management Involvement Assess the impact Let the Business Drive Gap analysis Promote innovation to drive revenue Bring Solutions not problems! 15
Thank you and questions
Focus on risk, compliance will follow Manish Chawda manish.chawda@sg.pwc.com T:+65 6236 7447 M: +65 9180 1882 This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2012 PricewaterhouseCoopers Limited. All rights reserved. In this document, refers to PricewaterhouseCoopers Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.