Business Owner vs IT Manager (Application Management Responsibilities)

The roles of Application Business Owner and Application IT Manager are often not clearly defined within an Organizational setup or not well understood.  The definition of these two roles are quintessential to ensure that responsibilities and accountabilities are appropriately placed for the Management of an IT Application.

Application Business Owner Accountabilities

  • Determine Business Criticality, Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
  • Data Ownership – Identify, Classify and Protect Data.
  • Application Access Control Ownership – Ensure that access to the application, on both the Business and IT side, are as per the Need-To-Have Principle.
  • Responsible for the Application’s Information Security Governance and Control and Regulatory Compliance.

Application IT Manager Responsibilities

  • Implement IT controls to Protect Data.
  • Ensure that access to the application , on the IT side, are as per Need-To-Have Principle.
  • Support the Application Business Owner by providing oversight of IT implementation and processes.


Business Owner vs IT Manager (Application Management Responsibilities)

IT System Controls (High Level)

IT System Controls

  1. Identification of Business Owner and IT Manager
  1. Assessment of Business Criticality of the System
  1. MAS TRM checklistshould be completed by the Service Provider team  for Compliance with MAS Technology Risk Management Guidelines.  This should be answered from the perspective of the Service Provider team and is intended to measure the Service Provider’s own internal controls.

  1. MAS Outsourcing Technology Questionnaireshould be completed by the Outsourcer/Business Owner together with the Service Provider.

  1. Data Flow Diagramshowing component-to-component data flow and interfaces with other IT Systems should be created and Data Transfer Protocols should be identified.  Secure protocols should be used for data transfer.
  1. Confidential Data should be encryptedin-storage (Database or SAN level encryption) and in-transit (both external and internal connections).
  1. Functional/Non-Functional Specifications Documentshould be created.
  1. IT Risk Assessmentshould be initiated and completed. 
  1. Multiple-Factor Authentication for access over the internet and for Privileged Accessshould be implemented.
  1. Penetration Testing(Network level and Application level White box testing) should be performed for Internet Facing Components. 
  1.  Datacenter and Operations Center Inspection.
  1. Datacenter TVRA(Threat, Vulnerability and Risk Assessment)
  1. PDPA Compliance– Signoff from the Data Protection Officer once the compliance is achieved.
  1. Cross Border Data Transfer/Access Regulatory Compliance– Sign-off from Compliance team after their clearance.
  1. Source Code Security Reviews for Sensitive Modules– particularly modules dealing with Authentication, Transactions, and Customer Confidential Data.
  1. Controls surrounding Application Business Roles and Access– should be implemented by the Business Owner.
  1. Controls surrounding Application IT Roles and Access– should be implemented by the IT Application Manager. 
  1. Controls surrounding Platform IT Roles and Access– should be implemented by the IT Infrastructure Manager. 
  1. Application Password Controls – Comply with Password Guidelines.
  1. Transaction Signing.
  1. IT Architecture Standards should be met.
  1. Data Loss Prevention Solutions– Endpoint controls should be implemented by Service Provider.
  1. Source Code Ownership/Escrow Arrangements – Should be discussed and agreed by the Business.
  1. MAS Reporting for Relevant Incidents – Establish processes to meet the regulatory requirement to report to MAS within 1 hour for Security Incidents (if the system contains Customer PII) / System Malfunction (if the application is classified as MAS Critical).
  1. IT Control Enforcement through Legal Contract Clauses– A Legal Contract should be established, which enforces applicable IT Controls, SLAs, Incident Reporting Timelines, etc.


IT System Controls (High Level)

The Three Lines of Defenses

Management of Risk and Main Accountabilities has three lines of defenses.

First Line of Defense:

These two composes the first line of defense – [i] Divisional Line Management, [ii] Regional IT Management.

      Divisional Line Management:

    • Primary ownership lies with the Business Line.  Business should own, understand and take active role in front-to-back risk management of their businesses.
    • Operational risk management is the responsibility of every division, department and employee.  Each must own and control operational risks and understand/manage inter-dependencies.
    • Primary/global ownership and resolution of audit points.
    • Sign off on global audit points.

      Regional IT Management:

    • Owns regulatory relationship for IT related topics in the region.
    • Ownership on regulatory IT compliance, location/country specific.
    • Understand and manage latent and inherent technical and operational risks in the region.
    • Oversight on region specific IT audit points.

Second Line of Defense – Technology Risk Management:

  • Responsible for IT Risk and Security related Policies (IT COO is responsible for all IT Policies).
  • Responsible for IT Reporting providing inputs into Global Management.
  • Design and monitor the overall technology risk framework as part of the overall firm wide operational risk framework (policies, standards, guidelines).
  • Ensure that risk management and mitigation activities are consistent across all divisions and regions.
  • Perform IT Risk Assessments.
  • Partner with Divisional IT, Regional IT Management and IT COO on risk identification and advice on resolution approach and on-going reporting and governance.

Third Line of Defense – Internal/External Audit.

  • Act as an independent check on the effectiveness of internal controls.
  • Act as an independent advisor for Change-The-Company projects.
The Three Lines of Defenses