What Singapore financial firms must know before investing in IT security

The Technology Risk Management Guidelines by the Monetary Authority of Singapore outline a set of principles and best practice standards for financial institutions operating in Singapore.

The guidelines steer financial services institutions to establish a sound and robust technology risk management framework, strengthen system security, reliability, availability, and recoverability, and to deploy technologies to secure customer data and transactions.

Costs of Compliance and Security

Compliance programs typically present a considerable effort on the behalf of the organization under assessment, with activities ranging from policy definition, process re-engineering, employee awareness creation, organizational responsibility and role allocation, documentation, to evaluating, testing, and deploying additional security solutions and controls.

After reaching compliance, the state of the operating environment may need to be re-evaluated at set intervals, to ensure the set controls and practices do not deteriorate over time.

All this may add up to a significant cost and budget item – not only in technology procurement costs, but also in terms of manpower, resource utilization, and operational costs. 

This may lead to IT security being considered as a must-have cost – something that gets in the way of cost-effective business processes, between the employee and his tasks, but which just needs to be endured.

Scope Reduction of Compliance Project

The full implications of industry standards, recommendations, and compliance mandates, such as the MAS TRM Guidelines or the Payment Card Industry Data Security Standard (PCI-DSS), reach beyond listing required IT security controls and technologies.

They aim to steer and develop businesses’ methods of operation and organizational mindsets, to apply due diligence towards the security of customer, patient, and citizen data.

Examining your business operations, transactions, and environment from this perspective leads to essential questions on how business data is handled and processed by your organization: Is this information necessary to conduct the daily business transactions? Does this information need to be stored on these servers or within this business unit? Who in our staff has access to the information and is it needed in their roles and daily tasks? Can we ensure it is only the defined group of employees who accesses the information? Who in our organization controls the setup these access and trust relationships? And can we prove to our auditors that we have full visibility and understanding into who accesses critical business data and IT resources in our organization?

Posing these questions often leads adjustments to the operational IT environment, with the aim to reduce the scope of the compliance project. Reducing the number of servers, file transfer end-points, and users that store and process critical and sensitive data, effectively reduces the scope, effort, and cost of the compliance project and related recurring audits.

Process Optimisation via More Robust Security Controls

Deploying monitoring and reporting tools so that sufficient data can be gathered on the IT environment, user access, and data operations – and that it can be easily compiled into readable reports for the auditors – not only reduces the cost of the compliance programs and audits, but can also over time reveal operational characteristics and trends, that can be used to optimize the business operations themselves (for example by identifying growing volumes of data being accessed, or transferred between business units).

Applying centralized controls and check-points, reducing the number of users or administrators who have the privilege of setting up trust relationships, user access, or security configurations, and deploying solutions for automation and centralized enforcement of the same, can lead to considerable cost-savings related to the daily costs of managing the IT environment.

Examination of how large financial institutions perform authentication key management, has revealed examples of related annual costs of close to 4MUSD, or operational lead-times of two months between a key setup request, and when the automated business transaction utilizing the keys can be activated.

These costs can be greatly reduced by deploying centralized and automated solutions for Identity and Access Management, and by optimizing the related processes.

Risk, Compliance, and Cost

The CISO of a large enterprise typically faces multiple compliance programs and challenges, with real budgetary constraints. When evaluating proposed security solutions and controls, the following questions should be asked: What is the extent of risk reduction for my company provided by the solution? Will it help our company to reach compliance, and also to prove it? And will it help to reduce operational costs?

For more information on cost-effective solutions that apply to the MAS TRM Guidelines, you can download the whitepaper “Technology Risk Management Guidelines by Monetary Authority of Singapore – Cost-Effective Controls for Compliance” by SSH Communications Security.