Singapore Internet Banking and Technology Risk Management Guidelines – Risk Management Framework – Summary of Requirements

• By: Staff Editor
• Date: April 11, 2013

• Establishment of  Technology-Risk Management Frameworks
• Strong Systems Security -make the technology infrastructure more reliable, available and recoverable
• Deployment of strong authentication mechanisms to secure customer data and protect transactions

• Conduct proper risk analysis - Identify, categorize and assess relevant risks
• Develop and document a risk management plan consisting of policies and processes to help control these risks
• Continuously monitor these risks and the effectiveness of the plan
• Update the plan regularly; account for changes in
  • Technology
  • Legal requirements
  • Business Environment (including internal and external threats)
  • Security Vulnerabilities

• The board and the management must the responsibility for managing technology-risks. The senior management must directly oversee risk management functions.
• There must be a clear understanding between internet applications and back-end support
• Technology risks must form a part of the conceptualization stage of new internet based products or services
• Management should conduct periodic security risk assessment to identify internal and external threats that may undermine system integrity, interfere with service or result in the disruption of operations
• Security awareness, training and education programs should be conducted regularly
• Disaster recovery and business continuity plans must be developed and implemented and their effectiveness monitored

• Assess the value of the information system assets to be protected
• Categorize, rank and prioritize the assets
• Take business decisions on the control measures to be implemented in order to protect assets
• Implement and institutionalize asset protection policy and ensure top management commitment to it
• Integrate IT security strategy with top management deliverables

• Enlist threats present in the Internet System Configuration
• This includes hardware and software, internal and external networks, applications, operations and human factors
• Consider both internet applications and the back-end implications
• Look at the interaction between the applications and the back end support as this is a key link
• Actively monitor risks that arise from the denial of service attacks, internal sabotage and malware infestations

• Quantify Risks. Define and rate non-quantifiable risks using a parallel scaling method
• Develop threat and vulnerability matrix
• Perform cost benefit analysis of risk management and risk control techniques
• Develop list of human factors such as motivations, resources and competencies required to carry out attacks to identify possible sources

• Entails the disaster recovery and business continuity parameters
• Must be instilled before implementation of framework
• Procedures must be developed in the context of cost effectiveness
• Must be a combination of technical, procedural and functional controls
• Needs to be constantly reassessed
• Risk control needs to be implemented as a regime or institutionalized as a part of the organization’s culture

• Risk treatment must adhere to all the listed treatment procedures 
• Alternate treatments must be developed with cost impact in mind
• Risk treatment must be documented each time and the feedback must be included in the reassessment of risk control policies

Read the Singapore Internet Banking and Technology Risk Management Guidelines in full.