ProjectsMicroblogGet TechResources
menu

RMiT by BNM

10 February, 2020
Back

Risk Management in Technology is the guideline that governs Malaysian financial institutions'(FI) technology standards. FI include banks, insurance companies, and takeful operators.

Issue 18 July 2019 is the latest, with effect on 1st Jan 2020.

blog

@unsplash

Key areas the guideline covers:

  1. Project Management

    • FIs must assess project delivery risks.
    • FI must evaluate vendor competency.

  2. Enterprise Architecture Framework

    • FI must maintain a digital map of applications, networks, and security.
    • FI must appoint Chief Information Security Officer (CISO), who is certified and independent from technology operations to manage technology security risks.
    • FI must establish System Development Lifecycle (SDLC) standards and have them reveiwed every 3 years.
    • Decommissioning systems must have minimal impact on customers.

  3. Information Security

    • Data should be end-to-end encrypted.
    • Cryptographic standards must be reviewed every 3 years.

  4. Data Centers

    • FI must ensure data center resilience and security.
    • Access to data centers should be monitored by 24 hours surveillance.
    • Unplanned downtime for immediately deliverable systems cannot exceed 4 hours in 12 months and 120 minutes per incidents.

  5. Networks

    • FI must ensure network resilience and security.
    • Network device logs must be maintained for at least 3 years.

  6. Third party service providers

    • Competency of TPSP must be evaluated.
    • TPSP must be bound by Service Level Agreements
    • FI data must be segregated from other clients.

  7. Cloud Services

    • FI must evaluate risks of cloud services.
    • FI must notify BNM of both critical and non-critical services on cloud.

  8. Cyber security

    • FI must continuously conduct proactive monitoring of its infrastructure.
    • FI must conduct penetration tests annually.
    • FI must protect itself against DDoS attacks.
    • FI must establish Data Loss Prevention (DLP) measures.
    • FI must put a Cyber Incident Response Plan (CIRP) and a Cyber Emergency Response Team (CERT) in place.
    • FI must report cyber-related incidents to BNM and log an incident report through ORION.

RMiT - issue 18 July 2019


Back