IT System Controls (High Level)

IT System Controls

  1. Identification of Business Owner and IT Manager
  1. Assessment of Business Criticality of the System
  1. MAS TRM checklistshould be completed by the Service Provider team  for Compliance with MAS Technology Risk Management Guidelines.  This should be answered from the perspective of the Service Provider team and is intended to measure the Service Provider’s own internal controls.

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM_Checklist.xlsm

  1. MAS Outsourcing Technology Questionnaireshould be completed by the Outsourcer/Business Owner together with the Service Provider.

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/Technology%20Questionnaire%20for%20Outsourcing%202015.docx

  1. Data Flow Diagramshowing component-to-component data flow and interfaces with other IT Systems should be created and Data Transfer Protocols should be identified.  Secure protocols should be used for data transfer.
  1. Confidential Data should be encryptedin-storage (Database or SAN level encryption) and in-transit (both external and internal connections).
  1. Functional/Non-Functional Specifications Documentshould be created.
  1. IT Risk Assessmentshould be initiated and completed. 
  1. Multiple-Factor Authentication for access over the internet and for Privileged Accessshould be implemented.
  1. Penetration Testing(Network level and Application level White box testing) should be performed for Internet Facing Components. 
  1.  Datacenter and Operations Center Inspection.
  1. Datacenter TVRA(Threat, Vulnerability and Risk Assessment)
  1. PDPA Compliance– Signoff from the Data Protection Officer once the compliance is achieved.
  1. Cross Border Data Transfer/Access Regulatory Compliance– Sign-off from Compliance team after their clearance.
  1. Source Code Security Reviews for Sensitive Modules– particularly modules dealing with Authentication, Transactions, and Customer Confidential Data.
  1. Controls surrounding Application Business Roles and Access– should be implemented by the Business Owner.
  1. Controls surrounding Application IT Roles and Access– should be implemented by the IT Application Manager. 
  1. Controls surrounding Platform IT Roles and Access– should be implemented by the IT Infrastructure Manager. 
  1. Application Password Controls – Comply with Password Guidelines.
  1. Transaction Signing.
  1. IT Architecture Standards should be met.
  1. Data Loss Prevention Solutions– Endpoint controls should be implemented by Service Provider.
  1. Source Code Ownership/Escrow Arrangements – Should be discussed and agreed by the Business.
  1. MAS Reporting for Relevant Incidents – Establish processes to meet the regulatory requirement to report to MAS within 1 hour for Security Incidents (if the system contains Customer PII) / System Malfunction (if the application is classified as MAS Critical).
  1. IT Control Enforcement through Legal Contract Clauses– A Legal Contract should be established, which enforces applicable IT Controls, SLAs, Incident Reporting Timelines, etc.

 

IT System Controls (High Level)

Leave a Reply

Your email address will not be published. Required fields are marked *