Technology Risk Management Framework and COBIT
The advancement of information technology (IT) has brought about rapid changes to the way businesses and operations are being conducted in the financial industry. IT is no longer a support function within a financial institution but a key enabler for business strategies including meeting customer needs. Financial industries are also faced with the challenge of keeping pace with the technological trends, challenges and needs and preferences of consumers who are getting more IT-savvy and switching to internet and mobile devices for financial services, given their speed, convenience and ease of use.
The Technology Risk Management (TRM) Guidelines issued by MAS set out risk management, governance principles and best practice standards to guide the financial industry in the following:
- Establishing a sound and robust technology risk management framework;
- Strengthening system security, reliability, resiliency, and recoverability; and
- Deploying strong authentication to protect customer data, transactions and systems.
The Guidelines set by MAS are statements of industry best practices which Financial industries are expected to adopt. COBIT5 is a business framework to support financial industries to govern and management enterprise IT to achieve the requirement set forth by MAS. COBIT 5 provides guidance in aligning financial industries with MAS’s Technology Risk Management (TRM) in the areas of IT strategy, Enterprise Governance of IT, IT management, IT processes, IT and business architecture, IT assurance/audit, information systems management, etc.
Information technology is a core function of many Financial industries. When critical systems fail, and customers cannot access their accounts, a Financial industries business operations may immediately come to a standstill. The impact on customers would be instantaneous, with significant consequences to the Financial industry, including reputational damage, regulatory breaches, revenue and business losses.
Financial industry should establish IT policies, standards and procedures, which are critical components of the framework, to manage technology risks and safeguard information system assets in the organisation. Due to rapid changes in the IT operations and security environment, policies, standards and procedures should be regularly reviewed and updated.
Compliance processes should be implemented to verify that IT security standards and procedures are enforced. Follow-up processes should be implemented so that compliance deviations are addressed and remedied on a timely basis.
With all the requirement above, COBIT 5 is aligned with MAS’s technology risk management guidelines as highlighted in pink and shown in below picture.
All financial institutions will need to address key areas of governance concern as defined in TRM guideline,
- Risk Management (adopt risk register, quantify impact etc.)
- IT Outsourcing (vendor compliance, cloud computing, vendor access etc.)
- Online Services
- Payment Cards (Cards, transactions, ATM’s and kiosks compliance with PCI DSS)
- System Acquisition & Development (develop project standard, Control Library, incorporate security requirements etc.)
- Service Management & Continuity Planning (Incident, problem, change, reporting, action plan and etc.)
- Infrastructure & Data Centre Security (Infra security, implement security standards such as ISO 27001, encryption, access, protection etc.)
- Audit, Oversight & Governance (internal, external audit in compliance with standards)
With special emphasis on:
- Protecting Customer Information (Encryption, PDPA, 2FA etc.)
- Cryptographic Functions (standards, encryption, decryption, hashing etc.)
- Access Control and Privileged Access (2FA, defining privilege and limit privilege users, audit logging etc.)