March 24, 2022
MAS TRM GUIDELINES 2013 vs TRM GUIDELINES 2021 – WHAT ARE THE MAJOR CHANGES
The Monetary Authority of Singapore (MAS) revised the Technology Risk Management (MAS TRM) guidelines that set out risk management principles and favorable practices for financial institutions on January 18, 2021, eight years after the previous revision which was made in 2013.
Compared to the MAS TRM guidelines of 2013, several significant revisions can be determined in the guidelines of 2021. Introducing two new sections: cyber security assessment, and cyber-surveillance and security operations, adding three new annexes on application testing and device security are two such noticeable changes.
Main Revisions to the TRM Guidelines
Here are the areas of TRM guidelines that were subjected to major changes by the 2021 revision.
1. Technology Risk Governance and Oversight
The members of the board and senior management should possess the necessary skills and understanding of technology risks along with distinct roles and responsibilities, as it is crucial to have a robust TRM framework through effective information asset management and third-party services management.
- Roles and Responsibilities – Board of directors is to appoint technology-related roles like CIO and CISO to develop risk management strategies and to ensure independent audit function to enhance the effectiveness of risk management and governance within the Financial Institution (FI).
- Management of Information Assets – Need for managing and maintaining an inventory of all information assets of the FI (entrusted assets, leased or rented assets, assets used by service providers).
- Management of Third Party Services – Conducting an assessment on service providers’ exposure to technology risks regarding loss of data confidentiality, integrity, and service availability.
- Risk Management Framework – Assessing scenario-based risks in order to identify accountable personnel and to implement necessary measurements and risk treatments.
2. IT Project Management and Security-by-Design
Standard procedures are to be established for evaluation and monitoring of vendors and source code escrow agreement to be put in place when vendors fail to support the FI. This includes forming a framework to manage the system development life cycle (SDLC) based on the security-by-design principles.
3. Software Development and Management
This elaborates the best practices for adopting security software.
- Agility – Using an agile framework to incorporate secure coding, code review, and the application of security testing.
- DevSecOps – Aligning DevSecOps activities and procedures with the SDLC framework and IT service management processes like segregation of duties.
- APIs – Establishing adequate safeguard measurements to manage the development and provision of APIs. Monitoring the usage of APIs and measures by legitimate applications to mitigate denial-of-service.
4. Access Management
Having access controls for users by performing remote access connections to enhance authentication (E.g.: multi-factor authentication). However, remote access to information assets will only be allowed to devices that are secured under the FI.
5. Management of Operational Infrastructure Security Risks
Managing operational infrastructure security risks with emerging technologies such as Internet of Things (IoT) and virtualization as below:
- IoT – Maintaining an inventory for all IoT devices that are connected to their physical locations and securing networks that host them.
- Virtualization – Advancing security on all components of virtual solutions including virtual machines, images, and snapshots.
6. Defense-in-Depth Approach
Collecting, processing, and analyzing cyber-related information to strengthen cyber resilience for its potential impact on the FI’s business and the IT environment. This includes carrying out regular scenario-based cyber exercises and performing an adversarial attack simulation exercise. The new MAS TRM guidelines cite:
- Cyber threat intelligence and information sharing – Acquiring cyber intelligence monitoring services to facilitate risk assessments to prevailing cyber threats.
- Cyber event monitoring and security operations – Establishing a real-time surveillance system to determine potential malicious activities.
- Cyber security assessment and testing – Placing in vulnerability assessments and penetration testing (a combination of Blackbox and Gray Box testing) to improve the accuracy of the FI’s safety measures.
- Cyber Incident Management – Developing cyber incident response and management plan to detect, respond to, and minimize consequences of cyber incidents, especially at cyber threats.
- Cyber Exercises – Carrying out regular scenario-based cyber exercises like social engineering, table-top, and cyber range to review their recovery efficiency.
Important Remarks on the Revised MAS TRM Guidelines
To minimize proliferating risks in the rapid digital transformation of the financial sector, MAS focuses on FIs incorporating security controls as part of the technology development and delivery lifecycle, in the 2021 TRM guidelines revision. However, to serve the ultimate purpose of the revisions, Financial Institutions should consider accessing their ability to meet the new requirements of the new TRM guidelines.