www.pwc.com/sg Technology Risk Management Are you ready?



Similar documents
Technology Risk Management

Technology Risk Management

a Disaster Recovery Plan

TECHNOLOGY RISK MANAGEMENT GUIDELINES

Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES

Overview TECHIS Manage information security business resilience activities

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

Managing risk in construction projects how to achieve a successful outcome*

Services Providers. Ivan Soto

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

4th Annual ISACA Kettle Moraine Spring Symposium

Total Business Continuity with Cyberoam High Availability

Take Your Vision to the Cloud

Third Party Security Requirements Policy

Agio Remote Monitoring and Management

Aberdeen City Council IT Security (Network and perimeter)

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

New supervisory guidance on model Overview, analysis, and next steps

Third Party Risk Management 12 April 2012

CFIR - Finance IT 2015 Cyber security September 2015

FINAL May Guideline on Security Systems for Safeguarding Customer Information

John Essner, CISO Office of Information Technology State of New Jersey

PwC Approach to Benefits Management

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Information Security Policies. Version 6.1

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Business Resiliency Business Continuity Management - January 14, 2014

NACS/PCATS WeCare Data Security Program Overview

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

Asset management guidelines

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Consulting in Procurement April 2015

EXECUTIVE BRIEF PON SPON. The Cloud Application Explosion. Published April An Osterman Research Executive Brief. sponsored by.

ESAP Remote Access VPN

The promise and pitfalls of cyber insurance January 2016

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Project Management: Improving performance, reducing risk When will you think differently about project management?

Sarbanes-Oxley Compliance for Cloud Applications

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

PCI Compliance for Cloud Applications

ESKITP6036 IT Disaster Recovery Level 5 Role

Cybersecurity The role of Internal Audit

Adding up or adding value?

Information Security Breaches Survey 2013

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

DATA RECOVERY SOLUTIONS EXPERT DATA RECOVERY SOLUTIONS FOR ALL DATA LOSS SCENARIOS.

> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

Compliance & Internal Audit Collaboration

Configuration Management System:

GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS

Cleveland Police. Data protection audit report. Executive summary November 2014

Addressing Cyber Risk Building robust cyber governance

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

5 Essential Benefits of Hybrid Cloud Backup

Data analytics Delivering intelligence in the moment

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Things You Need to Know About Cloud Backup

Virginia Commonwealth University School of Medicine Information Security Standard

How to Protect Intellectual Property While Offshore Outsourcing?

Business Continuity Business Impact Analysis arrangements

IBM QRadar Security Intelligence April 2013

Tips and Best Practices for Managing a Private Cloud

Third Party Security: Are your vendors compromising the security of your Agency?

Software License Compliance Review

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Access Governance. Delivering value. What you gain. Putting a project back on track for success

Safety Risk Predictive Analytics to improve safety performance

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Finance Effectiveness Efficiency

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Cloud Software Services for Schools

AUSTRACLEAR REGULATIONS Guidance Note 10

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cyber security Building confidence in your digital future

NIST ITL July 2012 CA Compromise

Critical Controls for Cyber Security.

PRODUCT SHEET: CA Arcot Cloud Services Data Centers CA Arcot cloud services data centers. True multi-tenancy and scalability

Disaster recovery: Resilient cloud-based disaster recovery

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Is Cloud-Based WMS an Option for Complex Distribution Centers?

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

What you need to know about cloud backup: your guide to cost, security and flexibility.

ESKITP6034 IT Disaster Recovery Level 4 Role

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Reorganising central government. Synergy reporting for Mergers and Acquisitions

IAIS Insurance Core Principle 16

Our Commitment to Information Security

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

Auditing Standard 5- Effective and Efficient SOX Compliance

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Transcription:

www.pwc.com/sg Technology Risk Management Are you ready?

Contents Food For Thought... Questions 2

Guidelines & Notice New technology risk management guidelines and notice impact: All financial institutions Include all IT systems not just internet facing Non compliance to the Notice may have financial penalties Gap analysis between IBTRM and the proposed TRM guidelines 64% New and Enhanced Requirements 19% No Change 17% Clarifications and Statements The MAS Internet Banking and Technology Risk Management Guidelines have been updated to enhance financial institutions oversight of technology risk management and security practices. 4

Implication of the Notice Framework and process to identify 1 critical systems Recovery Time Objective (RTO) of 2 4 hours for critical systems IT controls to protect customer 3 information High availability for critical systems 4 4 hours of unscheduled downtime Inform MAS of IT security incidents and major systems malfunction within 30 minutes 5 Create a robust risk management framework Test your DR Plans Encrypt customer data Active:Active infrastructure Real time monitoring and reporting procedures 5

TRM Guidelines Key Themes Six themes that were identified that impact your business 1 2 3 4 5 6 TRM Framework and Role of Senior Mgmt. and the Board Enhanced Data Centre Requirements System Availability, Incident and Problem Management Operational Infrastructure Security and Access Management Information Systems Acquisition, Development and Change Management Mobile Online Services 6

Framework and Role of Senior Mgmt. and the Board Key Requirements Senior management involvement in the IT decision-making process Effective IT policies, review and compliance monitoring Implementation of a robust risk management framework Implementation of an employee screening process What you need to consider Effective governance to ensure the board and senior management can make informed decisions? How are local management involved? Repository and process to keep IT policies, procedures up-to-date? Is there a formalised IT risk management framework in place? Do employee screening processes include the third parties? 7

Enhanced Data Centre Requirements Key Requirements Perform Threat and Vulnerability Risk Assessment (TVRA) Perform onsite visits to service providers Include physical and environmental controls for Data Centres Cloud Computing: awareness of risks What you need to consider Define your data centres and classify the critical systems in scope. The TVRA needs to cover all possible scenarios. Detailed contract with provider covering penalties and data sovereignty. 8

System Availability, Incident and Problem Management Key Requirements Redundancies for single points of failures (Cross-border) Recovery time objective (RTO) and recovery point objective (RPO) Recovery plan and testing Incident response procedures Problem management process (root-cause analysis) What you need to consider Are you looking at an Active /Active, or Active/Passive service to meet these guidelines and the Notice. (n+1) Have all critical systems and network components (on and offshore) been included? Do you have a dedicated CERT and a defined plan for security and major incidents? How and who will manage the public announcements and disclosure? 9

Operational Infrastructure Security and Access Management Key Requirements Active management of software and hardware (end of life/support) Baseline standards and enforcement checks for security configurations A robust patch management process Real-time monitoring Never alone principle for critical Reviews of user access management procedures What you need to consider Do you have a documented technology refresh plan and system EOL/EOS inventory? Do your current security practices include file and system integrity monitoring? How does your current patch management process classify patches? Do you have a patch management strategy that works? How has sensitive and administrative activities been restricted and monitored? How effective is your user access management process? 10

Information Systems Acquisition, Development and Change Management Key Requirements A project management framework Specified security requirements SDLC A robust change management End user applications should be developed inline with best practices What you need to consider Do you have an effective project management and governance process over system implementations? Is this consistently applied? Have security requirements been considered in your system development and change management procedures? Do you know what end user tools/spreadsheets/macros are critical to your business? What was the methodology used to develop these tools? 11

Mobile Online Services Key Requirements Similar security measures to online financial systems Identification of fraud scenarios Integrity, authenticity of payment app Encryption of sensitive data Education of customers What you need to consider Does your current security strategy encompass mobile banking applications? Does current risk assessment consider mobile banking fraud, mobile-application? What is sensitive data? Is information other than authentication-specific information encrypted on the local device? 12

What you should consider! Ensure a robust Technology Risk Management framework is in operation to meet your compliance responsibilities Scope Feasibility Ownership Governance Define your scope and risk assess your critical systems Perform a GAP analysis against the proposed TRM guidelines Obtain buy in from key stakeholders Create a robust governance structure that can guide the development of organisation controls 13

Food For Thought...

Food For Thought... Risk Management Regular key stakeholder meetings Find an executive sponsor Consultative/inclusive Senior Management Involvement Assess the impact Let the Business Drive Gap analysis Promote innovation to drive revenue Bring Solutions not problems! 15

Thank you and questions

Focus on risk, compliance will follow Manish Chawda manish.chawda@sg.pwc.com T:+65 6236 7447 M: +65 9180 1882 This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2012 PricewaterhouseCoopers Limited. All rights reserved. In this document, refers to PricewaterhouseCoopers Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information