Your Shopping Cart
By using this site you agree to our use of cookies. Please refer to our privacy policy for more information. Close
Singapore Internet Banking and Technology Risk Management Guidelines Security and Control Objectives – Summary of Requirements
- By: Staff Editor
- Date: March 28, 2013
The Monetary Authority of Singapore published its Internet Banking and Technology Risk Management guidelines in June 2008. This article provides an overview of the security and control objectives that the guidelines detail.
Safety fears arise from Denial of Service attacks, spoofing, spamming, phishing, key-logging, hacking, middleman interception, mutating virus and worm, and other malware poses great risks to technology platforms that banks use. As banks increase in size and operations and expand to new geographies, these challenges will grow bigger. Banks must ensure to its customers that all the online funds transfer are reliable and free from any threat and authentic and legitimate.
Banks have to establish a security strategy that fulfills the following security objectives:
- Data confidentiality
- System integrity
- System availability
- Customer and transaction authenticity
- Customer protection
These are explained in detail below:
1. Data Confidentiality
- The encryption of a bank’s online system should be appropriate to the type and extent of risk its network, systems and operations face.
- Banks should only choose those encryption algorithms that are in accordance with recognized international standards.
- The algorithms should have been subject to rigorous testing by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors or government agencies.
- Cryptographic keys that are used – master keys, key encrypting keys or data encrypting keys – must be protected.
- One individual alone should not know what the keys are or have access to all parts that comprise the keys.
- Keys should be created, stored, distributed or changed under the strictest and most secure conditions.
- Data sensitivity and operational criticality should determine the frequency of key changes
- The most secure way to carry out encryption and decryption activities is on hardware security modules and similar tamper-resistant devices. Other methods that are equally secure are also acceptable
- Encryption security relating to the customer's PIN and other sensitive data should be kept intact from point of data entry to final system destination where decryption or authentication is carried out.
2. System Integrity
- Online banking system integrity – or accuracy, reliability and completeness of information processed through online banking systems – should be properly maintained. This should be consistent with the complexity of a bank’s online operations
- Banks should install monitoring/surveillance systems that provide alerts if unusual online transactions or any other erratic system activities take place
- Following controls should be implemented in order to maintain the integrity of an online banking system:
- Logical access security – these are preventive and detective measures that restrict a user’s access to data/information to only what is permitted
- Physical access security – these controls include preventive measures which grant selective physical access to specific individuals.
- Processing and transmission controls – these can be preventive, detective or corrective in dealing with errors, irregularities or deviations.
3. System Availability
- Users should be able to use online banking systems for transactions 24/7 throughout the year – this means that ideally there should be zero downtime
- Banks, their service providers and vendors have to make sure that they have ample resources and hardware and software capacity to deliver consistently reliable service
- Front-end and backend systems should have the same availability profile to provide reliable service to customers.
- Banks should maintain standby hardware, software and network components that are necessary for fast recovery in case of system damage/malfunction
- In order to ensure availability of services, management should ensure that procedures and monitoring tools are in place to track:
- system performance,
- server processes,
- traffic volumes,
- transaction duration and
- capacity utilization
4. Customer and Transaction Authenticity
- Banks should implement two-factor authentication at login for all types of internet banking systems and for authorizing transactions.
- Banks should also require the repeated use of the second authentication factor by the customer for high value transactions or for changes to sensitive customer data. Second authentication tools include one-time-passwords. Sensitive data in this case can include office and home addresses of the customer, email and telephone contact details.
- Authenticated sessions and the accompanying encryption protocols should remain intact during the customer-online system interaction
- If there’s any sign of interference during this session, it should be terminated
- Customers should be promptly notified about such incidents at the time of the session conclusion or subsequently via emails/telephone
- Cryptographic functions, algorithms and protocols should be used to authenticate logins and protect communication sessions between the customer and the bank.
- The bank should implement second channel procedures in case of:
- Transactions above pre-set values
- Creation of new account linkages
- Registration of third party payee details
- Changing account details or
- Revisions to funds transfer limits
- Other security mechanisms to be used to authenticate a bank’s website from the customer end include:
- Personal assurance messages/images
- Exchange of challenge response security codes or
- The secure sockets layer (SSL) server certificate verification
5. Customer Protection
- The bank must authenticate and verify the customer’s identity before granting access to sensitive customer data (such as personal details) or online banking functions
- Customer data that is very sensitive consists of personal details of the customer and the details of his bank account.
- Banks should, as part of the two-factor authentication architecture, implement measures to minimize exposure to a middleman attack - more commonly known as
- man-in-the-middle attack (MITMA)
- man-in-the browser attack or
- man-in-the application attack
- Banks should not distribute software to their customers via the internet or through a web-based system unless they can provide adequate security and safeguards for the customers.
Additional Resources
Read the Singapore Internet Banking and Technology Risk Management Guidelines in full here.
Compliance Trainings
Service Level Agreements (SLAs) - Preparation Guidelines for Effective SLAs
By - Javier Kuong
On Demand Access Anytime
By - Javier Kuong
On Demand Access Anytime
Organizing an Effective Chief Risk Officer's Function to Improve GRC
By - Javier Kuong
On Demand Access Anytime
By - Javier Kuong
On Demand Access Anytime
Establishing Effective Enterprise Risk Management (ERM) for Achieving Good Compliance and Superior Governance
By - Barth Aaron
On Demand Access Anytime
By - Barth Aaron
On Demand Access Anytime
A Risk-Based Methodology to Develop and Prepare an Effective Service Level Agreement (SLA) Package to Improve Service and Security Quality
By - Javier Kuong
On Demand Access Anytime
By - Javier Kuong
On Demand Access Anytime
Compliance Standards
Best Sellers
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
-
By: Miles HutchinsonAdd to CartPrice: $249
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
-
San Francisco, CA | Aug 6-7, 2020
-
Virtual Seminar | Jul 16-17, 2020
-
Virtual Seminar | Jun 18-19, 2020
-
Los Angeles, CA | Aug 20-21, 2020
-
Virtual Seminar | Jul 16-17, 2020
-
Virtual Seminar | Jun 25-26, 2020
-
Virtual Seminar | Jun 10, 2020
-
Virtual Seminar | Jun 3-4, 2020
-
Virtual Seminar | Jul 6-7, 2020
-
San Francisco, CA | Oct 22-23, 2020
-
Virtual Seminar | Jul 9-10, 2020
-
Virtual Seminar | Jun 3-4, 2020
-
Virtual Seminar | June 3-4, 2020
-
Miami, FL | Jul 29-31, 2020
-
Virtual Seminar | Jun 17, 2020
-
Provider: ANSIAdd to CartPrice: $142
- Add to Cart
- Add to Cart
- Add to Cart
-
Provider: ANSIAdd to CartPrice: $120
-
Provider: ANSIAdd to CartPrice: $250
-
Provider: SEPTAdd to CartPrice: $299
- Add to Cart
-
Provider: Quality-Control-PlanAdd to CartPrice: $37
- Add to Cart
-
Provider: At-PQCAdd to CartPrice: $397
- Add to Cart
- Add to Cart
- Add to Cart
- Add to Cart
You Recently Viewed